PR#50703: Ticket 48707 - ldapssotoken for authentication - 389-ds-base

389-ds-base

#50703 Ticket 48707 - ldapssotoken for authentication

Closed 3 years ago by spichugi. Opened 4 years ago by firstyear.

firstyear/389-ds-base 48707-ldap-token-impl-rs into master

Ticket 48707 - ldapssotoken for authentication

William Brown • 4 years ago

38fe768

Makefile.am

file modified

+35 -4

		`@@ -226,7 +226,7 @@`
		`$(POLICY_FC)`

		`if RUST_ENABLE`
		`- BUILT_SOURCES += rust-slapi-private.h`
		`+ BUILT_SOURCES += rust-slapi-private.h rust-nsslapd-private.h`
		`endif`

		`if enable_posix_winsync`
		`@@ -1214,7 +1214,7 @@`

		`if RUST_ENABLE`

		`- noinst_LTLIBRARIES = librsds.la librslapd.la`
		`+ noinst_LTLIBRARIES = librsds.la librslapd.la librnsslapd.la`

		`### Why does this exist?`
		`#`
		`@@ -1262,8 +1262,29 @@`
		`# The header needs the lib build first.`
		`rust-slapi-private.h: @abs_top_builddir@/rs/@rust_target_dir@/librslapd.a`

		`+ # Build rust ns-slapd components as a library.`
		`+ RNSSLAPD_LIB = @abs_top_builddir@/rs/@rust_target_dir@/librnsslapd.a`
		`+`
		`+ librnsslapd_la_SOURCES = \`
		`+ src/librnsslapd/Cargo.toml \`
		`+ src/librnsslapd/build.rs \`
		`+ src/librnsslapd/src/lib.rs`
		`+`
		`+ librnsslapd_la_EXTRA = src/librnsslapd/Cargo.lock`
		`+`
		`+ @abs_top_builddir@/rs/@rust_target_dir@/librnsslapd.a: $(librnsslapd_la_SOURCES)`
		`+ RUST_BACKTRACE=1 RUSTC_BOOTSTRAP=1 \`
		`+ CARGO_TARGET_DIR=$(abs_top_builddir)/rs \`
		`+ SLAPD_HEADER_DIR=$(abs_top_builddir)/ \`
		`+ cargo rustc $(RUST_OFFLINE) --manifest-path=$(srcdir)/src/librnsslapd/Cargo.toml \`
		`+ $(CARGO_FLAGS) --verbose -- $(RUSTC_FLAGS)`
		`+`
		`+ # The header needs the lib build first.`
		`+ rust-nsslapd-private.h: @abs_top_builddir@/rs/@rust_target_dir@/librnsslapd.a`
		`+`
		`EXTRA_DIST = $(librsds_la_SOURCES) $(librsds_la_EXTRA) \`
		`- $(librslapd_la_SOURCES) $(librslapd_la_EXTRA)`
		`+ $(librslapd_la_SOURCES) $(librslapd_la_EXTRA) \`
		`+ $(librnsslapd_la_SOURCES) $(librnsslapd_la_EXTRA)`

		`## Run rust tests`
		`# cargo does not support offline tests :(`
		`@@ -1277,6 +1298,10 @@`
		`CARGO_TARGET_DIR=$(abs_top_builddir)/rs \`
		`SLAPD_HEADER_DIR=$(abs_top_builddir)/ \`
		`cargo test $(RUST_OFFLINE) --manifest-path=$(srcdir)/src/librslapd/Cargo.toml`
		`+ RUST_BACKTRACE=1 RUSTC_BOOTSTRAP=1 \`
		`+ CARGO_TARGET_DIR=$(abs_top_builddir)/rs \`
		`+ SLAPD_HEADER_DIR=$(abs_top_builddir)/ \`
		`+ cargo test $(RUST_OFFLINE) --manifest-path=$(srcdir)/src/librnsslapd/Cargo.toml`
		`endif`

		`else`
		`@@ -1439,12 +1464,13 @@`

		`libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS) @db_inc@ $(KERBEROS_CFLAGS) $(PCRE_CFLAGS) $(SDS_CPPFLAGS) $(SVRCORE_INCLUDES)`
		`libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LIBS) $(PCRE_LIBS) $(THREADLIB) $(SYSTEMD_LIBS) libsds.la libsvrcore.la`
		`+ libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS)`

		`if RUST_ENABLE`
		`libslapd_la_LIBADD += $(RSLAPD_LIB)`
		`+ libslapd_la_LDFLAGS += -lssl`
		`endif`

		`- libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS)`


		`#////////////////////////////////////////////////////////////////`
		`@@ -2152,6 +2178,9 @@`
		`ns_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS) $(SVRCORE_INCLUDES)`
		`ns_slapd_LDADD = libslapd.la libldaputil.la libsvrcore.la $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \`
		`$(NSPR_LINK) $(SASL_LINK) $(LIBNSL) $(LIBSOCKET) $(THREADLIB) $(SYSTEMD_LIBS) $(EVENT_LINK)`
		`+ if RUST_ENABLE`
		`+ ns_slapd_LDADD += $(RNSSLAPD_LIB)`
		`+ endif`
		`ns_slapd_DEPENDENCIES = libslapd.la libldaputil.la`
		`# We need to link ns-slapd with the C++ compiler on HP-UX since we load`
		`# some C++ shared libraries (such as icu).`
		`@@ -2161,6 +2190,7 @@`
		`ns_slapd_LINK = $(LINK)`
		`endif`

		`+`
		`#------------------------`
		`# pwdhash`
		`#------------------------`
		`@@ -2299,6 +2329,7 @@`
		`-e 's,@enable_ubsan\@,$(UBSAN_ON),g' \`
		`-e 's,@SANITIZER\@,$(SANITIZER),g' \`
		`-e 's,@enable_perl\@,@enable_perl@,g' \`
		`+ -e 's,@enable_rust\@,@enable_rust@,g' \`
		`-e 's,@ECHO_N\@,$(ECHO_N),g' \`
		`-e 's,@ECHO_C\@,$(ECHO_C),g' \`
		`-e 's,@brand\@,$(brand),g' \`

configure.ac

file modified

		`@@ -98,6 +98,8 @@`
		`if test "$enable_rust" = yes -o "$enable_rust_offline" = yes; then`
		`AC_CHECK_PROG(CARGO, [cargo], [yes], [no])`
		`AC_CHECK_PROG(RUSTC, [rustc], [yes], [no])`
		`+ # Since fernet uses the openssl lib.`
		`+ PKG_CHECK_MODULES([OPENSSL], [openssl])`

		`AS_IF([test "$CARGO" != "yes" -o "$RUSTC" != "yes"], [`
		`AC_MSG_FAILURE("Rust based plugins cannot be built cargo=$CARGO rustc=$RUSTC")`
		`@@ -105,6 +107,7 @@`


		`fi`
		`+ AC_SUBST([enable_rust])`
		`AM_CONDITIONAL([RUST_ENABLE],[test "$enable_rust" = yes -o "$enable_rust_offline" = yes])`

		`AC_MSG_CHECKING(for --enable-debug)`

dirsrvtests/tests/suites/auth_token/__init__.py

file added

empty or binary file added

dirsrvtests/tests/suites/auth_token/basic_auth_test.py

file added

+240

		`@@ -0,0 +1,240 @@`
		`+ # --- BEGIN COPYRIGHT BLOCK ---`
		`+ # Copyright (C) 2019 William Brown <william@blackhats.net.au>`
		`+ # All rights reserved.`
		`+ #`
		`+ # License: GPL (version 3 or any later version).`
		`+ # See LICENSE for details.`
		`+ # --- END COPYRIGHT BLOCK ---`
		`+`
		`+ import ldap`
		`+ import pytest`
		`+ import time`
		`+ from lib389.idm.user import nsUserAccounts, UserAccounts`
		`+ from lib389.topologies import topology_st as topology`
		`+ from lib389.paths import Paths`
		`+ from lib389.utils import ds_is_older`
		`+ from lib389._constants import *`
		`+ from lib389.idm.directorymanager import DirectoryManager`
		`+ from lib389.idm.account import Anonymous`
		`+ from lib389.extended_operations import LdapSSOTokenRequest`
		`+`
		`+ default_paths = Paths()`
		`+`
		`+ pytestmark = pytest.mark.tier1`
		`+`
		`+ USER_PASSWORD = "password aouoaeu"`
		`+ TEST_KEY = "4PXhmtKG7iCdT9C49GoBdD92x5X1tvF3eW9bHq4ND2Q="`
		`+`
		`+ @pytest.mark.skipif(not default_paths.rust_enabled or ds_is_older('1.4.2.0'), reason="Auth tokens are not available in older versions")`
		`+ def test_ldap_auth_token_config(topology):`
		`+ """ Test that we are able to configure the ldapssotoken backend with various types and states.`
		`+`
		`+ :id: e9b9360b-76df-40ef-9f45-b448df4c9eda`
		`+`
		`+ :setup: Standalone instance`
		`+`
		`+ :steps:`
		`+ 1. Enable the feature`
		`+ 2. Set a key manually.`
		`+ 3. Regerate a key server side.`
		`+ 4. Attempt to set invalid keys.`
		`+ 5. Disable the feature`
		`+ 6. Assert that key changes are rejected`
		`+`
		`+ :expectedresults:`
		`+ 1. Feature enables`
		`+ 2. Key is set and accepted`
		`+ 3. The key is regenerated and unique`
		`+ 4. The key is rejected`
		`+ 5. The disable functions online`
		`+ 6. The key changes are rejected`
		`+ """`
		`+ # Enable token`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'on') # enable it.`
		`+ # Set a key`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-secret', TEST_KEY)`
		`+ # regen a key`
		`+ topology.standalone.config.remove_all('nsslapd-ldapssotoken-secret')`
		`+ k1 = topology.standalone.config.get_attr_val_utf8('nsslapd-ldapssotoken-secret')`
		`+ assert(k1 != TEST_KEY)`
		`+ # set an invalid key`
		`+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-secret', 'invalid key')`
		`+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-secret', '')`
		`+ # Disable token`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'off') # disable it.`
		`+ # Set a key`
		`+ with pytest.raises(ldap.OPERATIONS_ERROR):`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-secret', TEST_KEY)`
		`+ # regen a key`
		`+ with pytest.raises(ldap.OPERATIONS_ERROR):`
		`+ topology.standalone.config.remove_all('nsslapd-ldapssotoken-secret')`
		`+`
		`+`
		`+ @pytest.mark.skipif(not default_paths.rust_enabled or ds_is_older('1.4.2.0'), reason="Auth tokens are not available in older versions")`
		`+ def test_ldap_auth_token_nsuser(topology):`
		`+ """`
		`+ Test that we can generate and authenticate with authentication tokens`
		`+ for users in the directory, as well as security properties around these`
		`+ tokens.`
		`+`
		`+ :id: 65335341-c85b-457d-ac7d-c4079ac90a60`
		`+`
		`+ :setup: Standalone instance`
		`+`
		`+ :steps:`
		`+ 1. Create an account`
		`+ 2. Generate a token for the account`
		`+ 3. Authenticate with the token`
		`+ 4. Assert that a token can not be issued from a token-authed account`
		`+ 5. Regenerate the server key`
		`+ 6. Assert the token no longer authenticates`
		`+`
		`+ :expectedresults:`
		`+ 1. Account is created`
		`+ 2. Token is generated`
		`+ 3. Token authenticates`
		`+ 4. Token is NOT issued`
		`+ 5. The key is regenerated`
		`+ 6. The token fails to bind.`
		`+ """`
		`+ topology.standalone.enable_tls()`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'on') # enable it.`
		`+ nsusers = nsUserAccounts(topology.standalone, DEFAULT_SUFFIX)`
		`+ # Create a user as dm.`
		`+ user = nsusers.create(properties={`
		`+ 'uid': 'test_nsuser',`
		`+ 'cn': 'test_nsuser',`
		`+ 'displayName': 'testNsuser',`
		`+ 'legalName': 'testNsuser',`
		`+ 'uidNumber': '1001',`
		`+ 'gidNumber': '1001',`
		`+ 'homeDirectory': '/home/testnsuser',`
		`+ 'userPassword': USER_PASSWORD,`
		`+ })`
		`+ # Create a new con and bind as the user.`
		`+ user_conn = user.bind(USER_PASSWORD)`
		`+ user_account = nsUserAccounts(user_conn, DEFAULT_SUFFIX).get('test_nsuser')`
		`+ # From the user_conn do an extop_s for the token`
		`+ token = user_account.request_sso_token()`
		`+ # Great! Now do a bind where the token is the pw:`
		`+ # user_conn_tok = user.bind(token)`
		`+ user_conn_tok = user.authenticate_sso_token(token)`
		`+ # Assert whoami.`
		`+ # Assert that user_conn_tok with the token can NOT get a new token.`
		`+ user_tok_account = nsUserAccounts(user_conn_tok, DEFAULT_SUFFIX).get('test_nsuser')`
		`+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):`
		`+ user_tok_account.request_sso_token()`
		`+`
		`+ # Check with a lowered ttl (should deny)`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-ttl-secs', '1') # Set a low ttl`
		`+ # Ensure it's past - the one time I'll allow a sleep ....`
		`+ time.sleep(2)`
		`+ with pytest.raises(ldap.INVALID_CREDENTIALS):`
		`+ user.authenticate_sso_token(token)`
		`+ topology.standalone.config.set('nsslapd-ldapssotoken-ttl-secs', '3600') # Set a reasonable`
		`+`
		`+ # Regenerate the server token key`
		`+ topology.standalone.config.remove_all('nsslapd-ldapssotoken-secret')`
		`+ # check we fail to authenticate.`
		`+ with pytest.raises(ldap.INVALID_CREDENTIALS):`
		`+ user.authenticate_sso_token(token)`
		`+`
		`+ @pytest.mark.skipif(not default_paths.rust_enabled or ds_is_older('1.4.2.0'), reason="Auth tokens are not available in older versions")`
		`+ def test_ldap_auth_token_disabled(topology):`
		`+ """ Assert when the feature is disabled that token operations are not able to progress`
		`+`
		`+ :id: ccde5d0b-7f2d-49d5-b9d5-f7082f8f36a3`
		`+`
		`+ :setup: Standalone instance`
		`+`
		`+ :steps:`
		`+ 1. Create a user`
		`+ 2. Attempt to get a token.`
		`+ 3. Enable the feature, get a token, then disable it.`
		`+ 4. Attempt to auth`
		`+`
		`+ :expectedresults:`
		`+ 1. Success`
		`+ 2. Fails to get a token`
		`+ 3. Token is received`
		`+ 4. Auth fails as token is disabled.`
		`+ """`
		`+ topology.standalone.enable_tls()`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'off') # disable it.`
		`+ nsusers = nsUserAccounts(topology.standalone, DEFAULT_SUFFIX)`
		`+ # Create a user as dm.`
		`+ user = nsusers.create(properties={`
		`+ 'uid': 'test_nsuser1',`
		`+ 'cn': 'test_nsuser1',`
		`+ 'displayName': 'testNsuser1',`
		`+ 'legalName': 'testNsuser1',`
		`+ 'uidNumber': '1002',`
		`+ 'gidNumber': '1002',`
		`+ 'homeDirectory': '/home/testnsuser1',`
		`+ 'userPassword': USER_PASSWORD,`
		`+ })`
		`+ # Create a new con and bind as the user.`
		`+ user_conn = user.bind(USER_PASSWORD)`
		`+ user_account = nsUserAccounts(user_conn, DEFAULT_SUFFIX).get('test_nsuser1')`
		`+ # From the user_conn do an extop_s for the token`
		`+ with pytest.raises(ldap.PROTOCOL_ERROR):`
		`+ user_account.request_sso_token()`
		`+ # Now enable it`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'on')`
		`+ token = user_account.request_sso_token()`
		`+ # Now disable`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'off')`
		`+ # Now attempt to bind (should fail)`
		`+ with pytest.raises(ldap.INVALID_CREDENTIALS):`
		`+ user_account.authenticate_sso_token(token)`
		`+`
		`+`
		`+ @pytest.mark.skipif(not default_paths.rust_enabled or ds_is_older('1.4.2.0'), reason="Auth tokens are not available in older versions")`
		`+ def test_ldap_auth_token_directory_manager(topology):`
		`+ """ Test token auth with directory manager is denied`
		`+`
		`+ :id: ec9aec64-3edf-4f3f-853a-7527b0c42124`
		`+`
		`+ :setup: Standalone instance`
		`+`
		`+ :steps:`
		`+ 1. Attempt to generate a token as DM`
		`+`
		`+ :expectedresults:`
		`+ 1. Fails`
		`+ """`
		`+ topology.standalone.enable_tls()`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'on') # enable it.`
		`+`
		`+ dm = DirectoryManager(topology.standalone)`
		`+ # Try getting a token at DM, should fail.`
		`+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):`
		`+ dm.request_sso_token()`
		`+`
		`+ ## test as anon (will fail)`
		`+ @pytest.mark.skipif(not default_paths.rust_enabled or ds_is_older('1.4.2.0'), reason="Auth tokens are not available in older versions")`
		`+ def test_ldap_auth_token_anonymous(topology):`
		`+ """ Test token auth with Anonymous is denied.`
		`+`
		`+ :id: 966068c3-fbc6-468d-a554-18d68d1d895b`
		`+`
		`+ :setup: Standalone instance`
		`+`
		`+ :steps:`
		`+ 1. Attempt to generate a token as Anonymous`
		`+`
		`+ :expectedresults:`
		`+ 1. Fails`
		`+ """`
		`+ topology.standalone.enable_tls()`
		`+ topology.standalone.config.set('nsslapd-enable-ldapssotoken', 'on') # enable it.`
		`+`
		`+ anon_conn = Anonymous(topology.standalone).bind()`
		`+ # Build the request`
		`+ req = LdapSSOTokenRequest()`
		`+ # Get the response`
		`+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):`
		`+ (_, res) = anon_conn.extop_s(req, escapehatch='i am sure')`
		`+`

ldap/admin/src/defaults.inf.in

file modified

		`@@ -22,6 +22,7 @@`
		`version = @PACKAGE_VERSION@`
		`asan_enabled = @enable_asan@`
		`enable_perl = @enable_perl@`
		`+ enable_rust = @enable_rust@`
		`with_systemd = @with_systemd@`
		`with_selinux = @with_selinux@`
		`prefix = @prefixdir@`

ldap/servers/slapd/bind.c

file modified

+26 -4

		`@@ -739,9 +739,30 @@`
		`if (!auto_bind) {`
		`/*`
		`* Okay, we've made it here. FINALLY check if the entry really`
		`- * can bind or not. THIS IS THE PASSWORD CHECK.`
		`+ * can bind or not. THIS IS THE PASSWORD/TOKEN CHECK.`
		`+ *`
		`+ * We have to check the token FIRST because it only validates if something`
		`+ * is correct or not: the pw verify actually does a send_ldap_result if the`
		`+ * pw is wrong.`
		`+ *`
		`+ * this effectively means the flow is:`
		`+ * check token -> if valid continue`
		`+ * if invalid -> check password`
		`+ * if password is invalid -> send err=49 (INVALID_CREDENTIALS)`
		`+ * if password is okay -> continue`
		`*/`
		`- rc = pw_verify_be_dn(pb, &referral);`
		`+ rc = pw_verify_token_dn(pb);`
		`+ /*`
		`+ * If tokan auth was a success, flag as such in the conn. This is to prevent`
		`+ * token sessions renewing infinitely - only a primary auth factor can generate`
		`+ * a token session.`
		`+ */`
		`+ if (rc != SLAPI_BIND_SUCCESS) {`
		`+ rc = pw_verify_be_dn(pb, &referral);`
		`+ pb_conn->c_bind_auth_token = 0;`
		`+ } else {`
		`+ pb_conn->c_bind_auth_token = 1;`
		`+ }`
		`if (rc != SLAPI_BIND_SUCCESS) {`
		`/* Invalid pass - lets bail ... */`
		`goto bind_failed;`
		`@@ -765,9 +786,10 @@`

		`/*`
		`* If required, update the pw hash to the "current setting" on bind`
		`- * if it was successful.`
		`+ * if it was successful, and if we used a PW (else we replace the pw`
		`+ * with the token, which would be bad!)`
		`*/`
		`- if (config_get_enable_upgrade_hash()) {`
		`+ if (pb_conn->c_bind_auth_token == 0 && config_get_enable_upgrade_hash()) {`
		`update_pw_encoding(pb, bind_target_entry, sdn, cred.bv_val);`
		`}`

ldap/servers/slapd/extendop.c

file modified

+88 -1

		`@@ -16,8 +16,12 @@`
		`#include <stdio.h>`
		`#include "slap.h"`

		`- static const char extended_op_oid2string(const char oid);`
		`+ /* If available, expose rust types. */`
		`+ #ifdef RUST_ENABLE`
		`+ #include <rust-nsslapd-private.h>`
		`+ #endif`

		`+ static const char extended_op_oid2string(const char oid);`

		`/******** this stuff should probably be moved when it's done ********/`

		`@@ -203,6 +207,60 @@`
		`}`


		`+ #ifdef RUST_ENABLE`
		`+ static void`
		`+ extop_handle_ldapssotoken_request(Slapi_PBlock pb, char extoid __attribute__((unused)), struct berval *extval) {`
		`+ BerElement *ber = NULL;`
		`+ struct berval *bvp = {0};`
		`+ int32_t rc = 0;`
		`+ char *token = NULL;`
		`+ char *dn = NULL;`
		`+ char *key = NULL;`
		`+`
		`+ key = config_get_ldapssotoken_secret();`
		`+ slapi_pblock_get(pb, SLAPI_CONN_DN, &dn);`
		`+`
		`+ /* This function checks for nulls properly! */`
		`+ token = fernet_generate_token(dn, key);`
		`+ slapi_ch_free_string(&dn);`
		`+ if (token == NULL) {`
		`+ slapi_log_err(SLAPI_LOG_ERR,`
		`+ "extop_handle_ldapssotoken_request", "unable to generate fernet token\n");`
		`+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,`
		`+ "unable to generate token", 0, NULL);`
		`+ return;`
		`+ }`
		`+`
		`+ /* We have a token, let's send it. */`
		`+ ber = der_alloc();`
		`+ PR_ASSERT(ber);`
		`+`
		`+ rc = ber_printf(ber, "{is}", &rc, token);`
		`+ slapi_ch_free_string(&token);`
		`+ /* Finish preparing the response */`
		`+ if (rc != -1) {`
		`+ ber_flatten(ber, &bvp);`
		`+ }`
		`+ ber_free(ber, 1);`
		`+`
		`+ if (rc == -1) {`
		`+ slapi_log_err(SLAPI_LOG_ERR,`
		`+ "extop_handle_ldapssotoken_request", "unable to generate ber structure for token\n");`
		`+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,`
		`+ "unable to generate token", 0, NULL);`
		`+ return;`
		`+ }`
		`+`
		`+ slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, bvp);`
		`+ send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);`
		`+ slapi_log_err(SLAPI_LOG_INFO, "extop_handle_ldapssotoken_request",`
		`+ "ldapssotoken generated correctly.\n");`
		`+ ber_bvfree(bvp);`
		`+ return;`
		`+ }`
		`+ #endif`
		`+`
		`+`
		`void`
		`do_extended(Slapi_PBlock *pb)`
		`{`
		`@@ -345,6 +403,35 @@`
		`slapi_pblock_set(pb, SLAPI_EXT_OP_REQ_VALUE, &extval);`
		`slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &pb_op->o_isroot);`

		`+ /*`
		`+ * Are we attempting to generate an auth token?`
		`+ * Auth tokens are generated outside of transactions, and are just part of the`
		`+ * main server, so we do it now before consulting plugins - WB`
		`+ */`
		`+ #ifdef RUST_ENABLE`
		`+ if (strcmp(extoid, EXTOP_LDAPSSOTOKEN_REQUEST_OID) == 0 && config_get_enable_ldapssotoken()) {`
		`+ /*`
		`+ * We want to generate an auth token for this user.`
		`+ * Was this session already authenticated by a token?`
		`+ * Are they anonymous?`
		`+ */`
		`+ char dn = (char )slapi_sdn_get_dn(&pb_op->o_sdn);`
		`+ int32_t is_anon = 0;`
		`+ if (dn == NULL \|\| *dn == '\0') {`
		`+ is_anon = 1;`
		`+ }`
		`+`
		`+ if (pb_conn->c_bind_auth_token != 0 \|\| pb_op->o_isroot \|\| is_anon) {`
		`+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL);`
		`+ goto free_and_return;`
		`+ } else {`
		`+ /* We have a valid user who authed by not-password, generate them a token. */`
		`+ extop_handle_ldapssotoken_request(pb, extoid, &extval);`
		`+ goto free_and_return;`
		`+ }`
		`+ }`
		`+ #endif`
		`+`
		`rc = plugin_determine_exop_plugins(extoid, &p);`
		`slapi_log_err(SLAPI_LOG_TRACE, "do_extended", "Plugin_determine_exop_plugins rc %d\n", rc);`

ldap/servers/slapd/libglobs.c

file modified

+379 -227

		`@@ -146,6 +146,7 @@`
		`/* Note that the 'attrname' arguments are used only for log messages */`
		`typedef int (ConfigSetFunc)(const char attrname, char value, char errorbuf, int apply);`
		`typedef int (LogSetFunc)(const char attrname, char value, int whichlog, char errorbuf, int apply);`
		`+ typedef void * (*ConfigGenInitFunc)();`

		`typedef enum {`
		`CONFIG_INT, /* maps to int */`
		`@@ -167,6 +168,7 @@`
		`CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */`
		`CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */`
		`CONFIG_SPECIAL_FILTER_VERIFY, /* maps to a config strict/warn-strict/warn/off enum */`
		`+ CONFIG_STRING_GENERATED, /* A string that can be set, or is internally generated */`
		`} ConfigVarType;`

		`static int32_t config_set_onoff(const char attrname, char value, int32_t configvalue, char errorbuf, int apply);`
		`@@ -257,6 +259,7 @@`
		`slapi_onoff_t init_ignore_vattrs;`
		`slapi_onoff_t init_enable_upgrade_hash;`
		`slapi_special_filter_verify_t init_verify_filter_schema;`
		`+ slapi_onoff_t init_enable_ldapssotoken;`

		`static int`
		`isInt(ConfigVarType type)`
		`@@ -279,100 +282,101 @@`
		`void *config_var_addr; / address of member of slapdFrontendConfig struct */`
		`ConfigVarType config_var_type; /* cast to this type when getting */`
		`ConfigGetFunc getfunc; /* for special handling */`
		`- void *initvalue;`
		`+ void initvalue; / init values */`
		`+ ConfigGenInitFunc geninitfunc; /* An init value generator */`
		`} ConfigList[] = {`
		`{CONFIG_AUDITLOG_MODE_ATTRIBUTE, NULL,`
		`log_set_mode, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_mode,`
		`- CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},`
		`+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE, NULL},`
		`{CONFIG_AUDITLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,`
		`log_set_rotationsync_enabled, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_rotationsync_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_auditlog_rotationsync_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_auditlog_rotationsync_enabled, NULL},`
		`{CONFIG_AUDITLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,`
		`log_set_rotationsynchour, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_rotationsynchour,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR, NULL},`
		`{CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,`
		`log_set_rotationsyncmin, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_rotationsyncmin,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR, NULL},`
		`{CONFIG_AUDITLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,`
		`log_set_rotationtime, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_rotationtime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR, NULL},`
		`{CONFIG_ACCESSLOG_MODE_ATTRIBUTE, NULL,`
		`log_set_mode, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_mode,`
		`- CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},`
		`+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE, NULL},`
		`{CONFIG_ACCESSLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,`
		`log_set_numlogsperdir, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_maxnumlogs,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS_STR, NULL},`
		`{CONFIG_LOGLEVEL_ATTRIBUTE, config_set_errorlog_level,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.errorloglevel,`
		`- CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR},`
		`+ CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR, NULL},`
		`{CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,`
		`log_set_logging, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_logging_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_errorlog_logging_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_errorlog_logging_enabled, NULL},`
		`{CONFIG_ERRORLOG_MODE_ATTRIBUTE, NULL,`
		`log_set_mode, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_mode,`
		`- CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},`
		`+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE, NULL},`
		`{CONFIG_ERRORLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,`
		`log_set_expirationtime, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_exptime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR, NULL},`
		`{CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,`
		`log_set_logging, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_logging_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_accesslog_logging_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_accesslog_logging_enabled, NULL},`
		`{CONFIG_PORT_ATTRIBUTE, config_set_port,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.port,`
		`- CONFIG_INT, NULL, NULL},`
		`+ CONFIG_INT, NULL, NULL, NULL},`
		`{CONFIG_WORKINGDIR_ATTRIBUTE, config_set_workingdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.workingdir,`
		`- CONFIG_STRING_OR_EMPTY, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_MAXTHREADSPERCONN_ATTRIBUTE, config_set_maxthreadsperconn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.maxthreadsperconn,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_PER_CONN_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_PER_CONN_STR, NULL},`
		`{CONFIG_ACCESSLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,`
		`log_set_expirationtime, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_exptime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR, NULL},`
		`{CONFIG_LOCALUSER_ATTRIBUTE, config_set_localuser,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.localuser,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_ERRORLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,`
		`log_set_rotationsync_enabled, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_rotationsync_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_errorlog_rotationsync_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_errorlog_rotationsync_enabled, NULL},`
		`{CONFIG_ERRORLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,`
		`log_set_rotationsynchour, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_rotationsynchour,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR, NULL},`
		`{CONFIG_ERRORLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,`
		`log_set_rotationsyncmin, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_rotationsyncmin,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR, NULL},`
		`{CONFIG_ERRORLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,`
		`log_set_rotationtime, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_rotationtime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR, NULL},`
		`{CONFIG_PW_INHISTORY_ATTRIBUTE, config_set_pw_inhistory,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_inhistory,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_INHISTORY_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_INHISTORY_STR, NULL},`
		`{CONFIG_PW_STORAGESCHEME_ATTRIBUTE, config_set_pw_storagescheme,`
		`NULL, 0, NULL,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_pw_storagescheme,`
		`- ""},`
		`+ "", NULL},`
		`/*`
		`* Set this to empty string to allow reset to work, but`
		`* the value is actually derived in set_pw_storagescheme.`
		`@@ -380,240 +384,240 @@`
		`{CONFIG_PW_UNLOCK_ATTRIBUTE, config_set_pw_unlock,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_unlock,`
		`- CONFIG_ON_OFF, NULL, &init_pw_unlock},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_unlock, NULL},`
		`{CONFIG_PW_GRACELIMIT_ATTRIBUTE, config_set_pw_gracelimit,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_gracelimit,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_GRACELIMIT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_GRACELIMIT_STR, NULL},`
		`{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,`
		`NULL, 0,`
		`NULL,`
		`- CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},`
		`+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, "", NULL},`
		`{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,`
		`log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_accesslog_rotationsync_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_accesslog_rotationsync_enabled, NULL},`
		`{CONFIG_ACCESSLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,`
		`log_set_rotationsynchour, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_rotationsynchour,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR, NULL},`
		`{CONFIG_ACCESSLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,`
		`log_set_rotationsyncmin, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_rotationsyncmin,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR, NULL},`
		`{CONFIG_ACCESSLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,`
		`log_set_rotationtime, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_rotationtime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR, NULL},`
		`{CONFIG_PW_MUSTCHANGE_ATTRIBUTE, config_set_pw_must_change,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_must_change,`
		`- CONFIG_ON_OFF, NULL, &init_pw_must_change},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_must_change, NULL},`
		`{CONFIG_PWPOLICY_LOCAL_ATTRIBUTE, config_set_pwpolicy_local,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pwpolicy_local,`
		`- CONFIG_ON_OFF, NULL, &init_pwpolicy_local},`
		`+ CONFIG_ON_OFF, NULL, &init_pwpolicy_local, NULL},`
		`{CONFIG_PWPOLICY_INHERIT_GLOBAL_ATTRIBUTE, config_set_pwpolicy_inherit_global,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pwpolicy_inherit_global,`
		`- CONFIG_ON_OFF, NULL, &init_pwpolicy_inherit_global},`
		`+ CONFIG_ON_OFF, NULL, &init_pwpolicy_inherit_global, NULL},`
		`{CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_maxdiskspace, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_maxdiskspace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR, NULL},`
		`{CONFIG_SIZELIMIT_ATTRIBUTE, config_set_sizelimit,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.sizelimit,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_SIZELIMIT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_SIZELIMIT_STR, NULL},`
		`{CONFIG_AUDITLOG_MAXLOGSIZE_ATTRIBUTE, NULL,`
		`log_set_logsize, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_maxlogsize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR, NULL},`
		`{CONFIG_PW_WARNING_ATTRIBUTE, config_set_pw_warning,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_warning,`
		`- CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_WARNING_STR},`
		`+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_WARNING_STR, NULL},`
		`{CONFIG_READONLY_ATTRIBUTE, config_set_readonly,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.readonly,`
		`- CONFIG_ON_OFF, NULL, &init_readonly},`
		`+ CONFIG_ON_OFF, NULL, &init_readonly, NULL},`
		`{CONFIG_SASL_MAPPING_FALLBACK, config_set_sasl_mapping_fallback,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.sasl_mapping_fallback,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_sasl_mapping_fallback,`
		`- &init_sasl_mapping_fallback},`
		`+ &init_sasl_mapping_fallback, NULL},`
		`{CONFIG_THREADNUMBER_ATTRIBUTE, config_set_threadnumber,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.threadnumber,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_STR, NULL},`
		`{CONFIG_PW_LOCKOUT_ATTRIBUTE, config_set_pw_lockout,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_lockout,`
		`- CONFIG_ON_OFF, NULL, &init_pw_lockout},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_lockout, NULL},`
		`{CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE, config_set_enquote_sup_oc,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.enquote_sup_oc,`
		`- CONFIG_ON_OFF, NULL, &init_enquote_sup_oc},`
		`+ CONFIG_ON_OFF, NULL, &init_enquote_sup_oc, NULL},`
		`{CONFIG_LOCALHOST_ATTRIBUTE, config_set_localhost,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.localhost,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_IOBLOCKTIMEOUT_ATTRIBUTE, config_set_ioblocktimeout,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ioblocktimeout,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR, NULL},`
		`{CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE, config_set_max_filter_nest_level,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.max_filter_nest_level,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL_STR, NULL},`
		`{CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_maxdiskspace, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_maxdiskspace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR, NULL},`
		`{CONFIG_PW_MINLENGTH_ATTRIBUTE, config_set_pw_minlength,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minlength,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLENGTH_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLENGTH_STR, NULL},`
		`{CONFIG_PW_MINDIGITS_ATTRIBUTE, config_set_pw_mindigits,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_mindigits,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINDIGITS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINDIGITS_STR, NULL},`
		`{CONFIG_PW_MINALPHAS_ATTRIBUTE, config_set_pw_minalphas,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minalphas,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINALPHAS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINALPHAS_STR, NULL},`
		`{CONFIG_PW_MINUPPERS_ATTRIBUTE, config_set_pw_minuppers,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minuppers,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINUPPERS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINUPPERS_STR, NULL},`
		`{CONFIG_PW_MINLOWERS_ATTRIBUTE, config_set_pw_minlowers,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minlowers,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLOWERS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLOWERS_STR, NULL},`
		`{CONFIG_PW_MINSPECIALS_ATTRIBUTE, config_set_pw_minspecials,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minspecials,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINSPECIALS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINSPECIALS_STR, NULL},`
		`{CONFIG_PW_MIN8BIT_ATTRIBUTE, config_set_pw_min8bit,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_min8bit,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MIN8BIT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MIN8BIT_STR, NULL},`
		`{CONFIG_PW_MAXREPEATS_ATTRIBUTE, config_set_pw_maxrepeats,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_maxrepeats,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXREPEATS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXREPEATS_STR, NULL},`
		`{CONFIG_PW_MINCATEGORIES_ATTRIBUTE, config_set_pw_mincategories,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_mincategories,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINCATEGORIES_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINCATEGORIES_STR, NULL},`
		`{CONFIG_PW_MINTOKENLENGTH_ATTRIBUTE, config_set_pw_mintokenlength,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_mintokenlength,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINTOKENLENGTH_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINTOKENLENGTH_STR, NULL},`

		`/* Password palindrome */`
		`{CONFIG_PW_PALINDROME_ATTRIBUTE, config_set_pw_palindrome,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_palindrome,`
		`- CONFIG_ON_OFF, NULL, &init_pw_palindrome},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_palindrome, NULL},`
		`/* password dictionary check */`
		`{CONFIG_PW_CHECK_DICT_ATTRIBUTE, config_set_pw_dict_check,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_check_dict,`
		`- CONFIG_ON_OFF, NULL, &init_pw_dict_check},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_dict_check, NULL},`
		`/* password dictionary path */`
		`{CONFIG_PW_DICT_PATH_ATTRIBUTE, config_set_pw_dict_path,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_dict_path,`
		`- CONFIG_STRING, NULL, ""},`
		`+ CONFIG_STRING, NULL, "", NULL},`
		`/* password user attr check list */`
		`{CONFIG_PW_USERATTRS_ATTRIBUTE, config_set_pw_user_attrs,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_cmp_attrs,`
		`- CONFIG_CHARRAY, NULL, NULL},`
		`+ CONFIG_CHARRAY, NULL, NULL, NULL},`
		`/* password bad work list */`
		`{CONFIG_PW_BAD_WORDS_ATTRIBUTE, config_set_pw_bad_words,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_bad_words,`
		`- CONFIG_CHARRAY, NULL, NULL},`
		`+ CONFIG_CHARRAY, NULL, NULL, NULL},`
		`/* password max sequence */`
		`{CONFIG_PW_MAX_SEQ_ATTRIBUTE, config_set_pw_max_seq,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_max_seq,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_SEQ_ATTRIBUTE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_SEQ_ATTRIBUTE_STR, NULL},`
		`/* Max sequence sets */`
		`{CONFIG_PW_MAX_SEQ_SETS_ATTRIBUTE, config_set_pw_max_seq_sets,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_seq_char_sets,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_SEQ_SETS_ATTRIBUTE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_SEQ_SETS_ATTRIBUTE_STR, NULL},`
		`/* password max repeated characters per class */`
		`{CONFIG_PW_MAX_CLASS_CHARS_ATTRIBUTE, config_set_pw_max_class_repeats,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_max_class_repeats,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_CLASS_CHARS_ATTRIBUTE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAX_CLASS_CHARS_ATTRIBUTE_STR, NULL},`
		`{CONFIG_ERRORLOG_ATTRIBUTE, config_set_errorlog,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.errorlog,`
		`- CONFIG_STRING_OR_EMPTY, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_AUDITLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,`
		`log_set_expirationtime, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_exptime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR, NULL},`
		`{CONFIG_SCHEMACHECK_ATTRIBUTE, config_set_schemacheck,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.schemacheck,`
		`- CONFIG_ON_OFF, NULL, &init_schemacheck},`
		`+ CONFIG_ON_OFF, NULL, &init_schemacheck, NULL},`
		`{CONFIG_SCHEMAMOD_ATTRIBUTE, config_set_schemamod,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.schemamod,`
		`- CONFIG_ON_OFF, NULL, &init_schemamod},`
		`+ CONFIG_ON_OFF, NULL, &init_schemamod, NULL},`
		`{CONFIG_SYNTAXCHECK_ATTRIBUTE, config_set_syntaxcheck,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.syntaxcheck,`
		`- CONFIG_ON_OFF, NULL, &init_syntaxcheck},`
		`+ CONFIG_ON_OFF, NULL, &init_syntaxcheck, NULL},`
		`{CONFIG_SYNTAXLOGGING_ATTRIBUTE, config_set_syntaxlogging,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.syntaxlogging,`
		`- CONFIG_ON_OFF, NULL, &init_syntaxlogging},`
		`+ CONFIG_ON_OFF, NULL, &init_syntaxlogging, NULL},`
		`{CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, config_set_dn_validate_strict,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.dn_validate_strict,`
		`- CONFIG_ON_OFF, NULL, &init_dn_validate_strict},`
		`+ CONFIG_ON_OFF, NULL, &init_dn_validate_strict, NULL},`
		`{CONFIG_DS4_COMPATIBLE_SCHEMA_ATTRIBUTE, config_set_ds4_compatible_schema,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ds4_compatible_schema,`
		`- CONFIG_ON_OFF, NULL, &init_ds4_compatible_schema},`
		`+ CONFIG_ON_OFF, NULL, &init_ds4_compatible_schema, NULL},`
		`{CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,`
		`config_set_schema_ignore_trailing_spaces, NULL, 0,`
		`(void **)&global_slapdFrontendConfig.schema_ignore_trailing_spaces,`
		`- CONFIG_ON_OFF, NULL, &init_schema_ignore_trailing_spaces},`
		`+ CONFIG_ON_OFF, NULL, &init_schema_ignore_trailing_spaces, NULL},`
		`{CONFIG_SCHEMAREPLACE_ATTRIBUTE, config_set_schemareplace, NULL, 0,`
		`(void **)&global_slapdFrontendConfig.schemareplace,`
		`- CONFIG_STRING_OR_OFF, NULL, CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY},`
		`+ CONFIG_STRING_OR_OFF, NULL, CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY, NULL},`
		`{CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_maxdiskspace, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_maxdiskspace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE_STR, NULL},`
		`{CONFIG_REFERRAL_ATTRIBUTE, (ConfigSetFunc)config_set_defaultreferral,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.defaultreferral,`
		`- CONFIG_SPECIAL_REFERRALLIST, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_SPECIAL_REFERRALLIST, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_PW_MAXFAILURE_ATTRIBUTE, config_set_pw_maxfailure,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_maxfailure,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXFAILURE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXFAILURE_STR, NULL},`
		`{CONFIG_ACCESSLOG_ATTRIBUTE, config_set_accesslog,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.accesslog,`
		`- CONFIG_STRING_OR_EMPTY, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_LASTMOD_ATTRIBUTE, config_set_lastmod,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.lastmod,`
		`- CONFIG_ON_OFF, NULL, &init_lastmod},`
		`+ CONFIG_ON_OFF, NULL, &init_lastmod, NULL},`
		`{CONFIG_ROOTPWSTORAGESCHEME_ATTRIBUTE, config_set_rootpwstoragescheme,`
		`NULL, 0, NULL,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_rootpwstoragescheme,`
		`- ""},`
		`+ "", NULL},`
		`/*`
		`* Set this to empty string to allow reset to work, but`
		`* the value is actually derived in set_rootpwstoragescheme.`
		`@@ -621,635 +625,651 @@`
		`{CONFIG_PW_HISTORY_ATTRIBUTE, config_set_pw_history,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_history,`
		`- CONFIG_ON_OFF, NULL, &init_pw_history},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_history, NULL},`
		`{CONFIG_SECURITY_ATTRIBUTE, config_set_security,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.security,`
		`- CONFIG_ON_OFF, NULL, &init_security},`
		`+ CONFIG_ON_OFF, NULL, &init_security, NULL},`
		`{CONFIG_PW_MAXAGE_ATTRIBUTE, config_set_pw_maxage,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_maxage,`
		`- CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MAXAGE_STR},`
		`+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MAXAGE_STR, NULL},`
		`{CONFIG_AUDITLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_rotationtimeunit, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_rotationunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITLOG_ROTATIONUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITLOG_ROTATIONUNIT, NULL},`
		`{CONFIG_PW_RESETFAILURECOUNT_ATTRIBUTE, config_set_pw_resetfailurecount,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_resetfailurecount,`
		`- CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_RESETFAILURECOUNT_STR},`
		`+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_RESETFAILURECOUNT_STR, NULL},`
		`{CONFIG_PW_ISGLOBAL_ATTRIBUTE, config_set_pw_is_global_policy,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_is_global_policy,`
		`- CONFIG_ON_OFF, NULL, &init_pw_is_global_policy},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_is_global_policy, NULL},`
		`{CONFIG_PW_IS_LEGACY, config_set_pw_is_legacy_policy,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_is_legacy,`
		`- CONFIG_ON_OFF, NULL, &init_pw_is_legacy},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_is_legacy, NULL},`
		`{CONFIG_PW_TRACK_LAST_UPDATE_TIME, config_set_pw_track_last_update_time,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_track_update_time,`
		`- CONFIG_ON_OFF, NULL, &init_pw_track_update_time},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_track_update_time, NULL},`
		`{CONFIG_AUDITLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,`
		`log_set_numlogsperdir, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_maxnumlogs,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR, NULL},`
		`{CONFIG_ERRORLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_expirationtimeunit, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_exptimeunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT, NULL},`
		`/* errorlog list is read only, so no set func and no config var addr */`
		`{CONFIG_ERRORLOG_LIST_ATTRIBUTE, NULL,`
		`NULL, 0, NULL,`
		`- CONFIG_CHARRAY, (ConfigGetFunc)config_get_errorlog_list, NULL},`
		`+ CONFIG_CHARRAY, (ConfigGetFunc)config_get_errorlog_list, NULL, NULL},`
		`{CONFIG_GROUPEVALNESTLEVEL_ATTRIBUTE, config_set_groupevalnestlevel,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.groupevalnestlevel,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_GROUPEVALNESTLEVEL_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_GROUPEVALNESTLEVEL_STR, NULL},`
		`{CONFIG_ACCESSLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_expirationtimeunit, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_exptimeunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT, NULL},`
		`{CONFIG_ROOTPW_ATTRIBUTE, config_set_rootpw,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.rootpw,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_PW_CHANGE_ATTRIBUTE, config_set_pw_change,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_change,`
		`- CONFIG_ON_OFF, NULL, &init_pw_change},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_change, NULL},`
		`{CONFIG_ACCESSLOGLEVEL_ATTRIBUTE, config_set_accesslog_level,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.accessloglevel,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR, NULL},`
		`{CONFIG_ERRORLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_rotationtimeunit, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_rotationunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_ERRORLOG_ROTATIONUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_ERRORLOG_ROTATIONUNIT, NULL},`
		`{CONFIG_SECUREPORT_ATTRIBUTE, config_set_secureport,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.secureport,`
		`- CONFIG_INT, NULL, NULL},`
		`+ CONFIG_INT, NULL, NULL, NULL},`
		`{CONFIG_BASEDN_ATTRIBUTE, config_set_basedn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.certmap_basedn,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_TIMELIMIT_ATTRIBUTE, config_set_timelimit,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.timelimit,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_TIMELIMIT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_TIMELIMIT_STR, NULL},`
		`{CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE, NULL,`
		`log_set_logsize, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_maxlogsize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR, NULL},`
		`{CONFIG_RESERVEDESCRIPTORS_ATTRIBUTE, config_set_reservedescriptors,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.reservedescriptors,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_RESERVE_FDS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_RESERVE_FDS_STR, NULL},`
		`/* access log list is read only, no set func, no config var addr */`
		`{CONFIG_ACCESSLOG_LIST_ATTRIBUTE, NULL,`
		`NULL, 0, NULL,`
		`- CONFIG_CHARRAY, (ConfigGetFunc)config_get_accesslog_list, NULL},`
		`+ CONFIG_CHARRAY, (ConfigGetFunc)config_get_accesslog_list, NULL, NULL},`
		`{CONFIG_SVRTAB_ATTRIBUTE, config_set_srvtab,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.srvtab,`
		`- CONFIG_STRING, NULL, ""},`
		`+ CONFIG_STRING, NULL, "", NULL},`
		`{CONFIG_PW_EXP_ATTRIBUTE, config_set_pw_exp,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_exp,`
		`- CONFIG_ON_OFF, NULL, &init_pw_exp},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_exp, NULL},`
		`{CONFIG_PW_SEND_EXPIRING, config_set_pw_send_expiring,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_send_expiring,`
		`- CONFIG_ON_OFF, NULL, &init_pw_send_expiring},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_send_expiring, NULL},`
		`{CONFIG_ACCESSCONTROL_ATTRIBUTE, config_set_accesscontrol,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.accesscontrol,`
		`- CONFIG_ON_OFF, NULL, &init_accesscontrol},`
		`+ CONFIG_ON_OFF, NULL, &init_accesscontrol, NULL},`
		`{CONFIG_AUDITLOG_LIST_ATTRIBUTE, NULL,`
		`NULL, 0, NULL,`
		`- CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditlog_list, NULL},`
		`+ CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditlog_list, NULL, NULL},`
		`{CONFIG_ACCESSLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_rotationtimeunit, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_rotationunit,`
		`- CONFIG_STRING, NULL, SLAPD_INIT_ACCESSLOG_ROTATIONUNIT},`
		`+ CONFIG_STRING, NULL, SLAPD_INIT_ACCESSLOG_ROTATIONUNIT, NULL},`
		`{CONFIG_PW_LOCKDURATION_ATTRIBUTE, config_set_pw_lockduration,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_lockduration,`
		`- CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_LOCKDURATION_STR},`
		`+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_LOCKDURATION_STR, NULL},`
		`{CONFIG_ACCESSLOG_MAXLOGSIZE_ATTRIBUTE, NULL,`
		`log_set_logsize, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_maxlogsize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR, NULL},`
		`{CONFIG_IDLETIMEOUT_ATTRIBUTE, config_set_idletimeout,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.idletimeout,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_IDLE_TIMEOUT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_IDLE_TIMEOUT_STR, NULL},`
		`{CONFIG_NAGLE_ATTRIBUTE, config_set_nagle,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.nagle,`
		`- CONFIG_ON_OFF, NULL, &init_nagle},`
		`+ CONFIG_ON_OFF, NULL, &init_nagle, NULL},`
		`{CONFIG_ERRORLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_mindiskspace, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_minfreespace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR, NULL},`
		`{CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,`
		`log_set_logging, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_logging_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_auditlog_logging_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_auditlog_logging_enabled, NULL},`
		`{CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW, config_set_auditlog_unhashed_pw,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.auditlog_logging_hide_unhashed_pw,`
		`- CONFIG_ON_OFF, NULL, &init_auditlog_logging_hide_unhashed_pw},`
		`+ CONFIG_ON_OFF, NULL, &init_auditlog_logging_hide_unhashed_pw, NULL},`
		`{CONFIG_ACCESSLOG_BUFFERING_ATTRIBUTE, config_set_accesslogbuffering,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.accesslogbuffering,`
		`- CONFIG_ON_OFF, NULL, &init_accesslogbuffering},`
		`+ CONFIG_ON_OFF, NULL, &init_accesslogbuffering, NULL},`
		`{CONFIG_CSNLOGGING_ATTRIBUTE, config_set_csnlogging,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.csnlogging,`
		`- CONFIG_ON_OFF, NULL, &init_csnlogging},`
		`+ CONFIG_ON_OFF, NULL, &init_csnlogging, NULL},`
		`{CONFIG_AUDITLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_expirationtimeunit, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_exptimeunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT, NULL},`
		`{CONFIG_ALLOW_HASHED_PW_ATTRIBUTE, config_set_allow_hashed_pw,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.allow_hashed_pw,`
		`- CONFIG_ON_OFF, NULL, &init_allow_hashed_pw},`
		`+ CONFIG_ON_OFF, NULL, &init_allow_hashed_pw, NULL},`
		`{CONFIG_PW_SYNTAX_ATTRIBUTE, config_set_pw_syntax,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_syntax,`
		`- CONFIG_ON_OFF, NULL, &init_pw_syntax},`
		`+ CONFIG_ON_OFF, NULL, &init_pw_syntax, NULL},`
		`{CONFIG_LISTENHOST_ATTRIBUTE, config_set_listenhost,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.listenhost,`
		`- CONFIG_STRING, NULL, "" /* Empty value is allowed */},`
		`+ CONFIG_STRING, NULL, "", NULL /* Empty value is allowed */},`
		`{CONFIG_SNMP_INDEX_ATTRIBUTE, config_set_snmp_index,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.snmp_index,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_SNMP_INDEX_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_SNMP_INDEX_STR, NULL},`
		`{CONFIG_LDAPI_FILENAME_ATTRIBUTE, config_set_ldapi_filename,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_filename,`
		`- CONFIG_STRING, NULL, SLAPD_LDAPI_DEFAULT_FILENAME},`
		`+ CONFIG_STRING, NULL, SLAPD_LDAPI_DEFAULT_FILENAME, NULL},`
		`{CONFIG_LDAPI_SWITCH_ATTRIBUTE, config_set_ldapi_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_switch,`
		`- CONFIG_ON_OFF, NULL, &init_ldapi_switch},`
		`+ CONFIG_ON_OFF, NULL, &init_ldapi_switch, NULL},`
		`{CONFIG_LDAPI_BIND_SWITCH_ATTRIBUTE, config_set_ldapi_bind_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_bind_switch,`
		`- CONFIG_ON_OFF, NULL, &init_ldapi_bind_switch},`
		`+ CONFIG_ON_OFF, NULL, &init_ldapi_bind_switch, NULL},`
		`{CONFIG_LDAPI_ROOT_DN_ATTRIBUTE, config_set_ldapi_root_dn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_root_dn,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER, NULL},`
		`{CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE, config_set_ldapi_map_entries,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_map_entries,`
		`- CONFIG_ON_OFF, NULL, &init_ldapi_map_entries},`
		`+ CONFIG_ON_OFF, NULL, &init_ldapi_map_entries, NULL},`
		`{CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_uidnumber_type,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_uidnumber_type,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_UIDNUM_TYPE},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_UIDNUM_TYPE, NULL},`
		`{CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_gidnumber_type,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_gidnumber_type,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_GIDNUM_TYPE},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_GIDNUM_TYPE, NULL},`
		`{CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE, config_set_ldapi_search_base_dn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_search_base_dn,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_SEARCH_BASE},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_SEARCH_BASE, NULL},`
		`#if defined(ENABLE_AUTO_DN_SUFFIX)`
		`{CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE, config_set_ldapi_auto_dn_suffix,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldapi_auto_dn_suffix,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_AUTO_DN},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_AUTO_DN, NULL},`
		`#endif`
		`{CONFIG_ANON_LIMITS_DN_ATTRIBUTE, config_set_anon_limits_dn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.anon_limits_dn,`
		`- CONFIG_STRING, NULL, ""},`
		`+ CONFIG_STRING, NULL, "", NULL},`
		`{CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.slapi_counters,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_slapi_counters,`
		`- &init_slapi_counters},`
		`+ &init_slapi_counters, NULL},`
		`{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_mindiskspace, SLAPD_ACCESS_LOG,`
		`(void **)&global_slapdFrontendConfig.accesslog_minfreespace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR, NULL},`
		`{CONFIG_ERRORLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,`
		`log_set_numlogsperdir, SLAPD_ERROR_LOG,`
		`(void **)&global_slapdFrontendConfig.errorlog_maxnumlogs,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR, NULL},`
		`{CONFIG_SECURELISTENHOST_ATTRIBUTE, config_set_securelistenhost,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.securelistenhost,`
		`- CONFIG_STRING, NULL, "" /* Empty value is allowed */},`
		`+ CONFIG_STRING, NULL, "", NULL /* Empty value is allowed */},`
		`{CONFIG_AUDITLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_mindiskspace, SLAPD_AUDIT_LOG,`
		`(void **)&global_slapdFrontendConfig.auditlog_minfreespace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR, NULL},`
		`{CONFIG_ROOTDN_ATTRIBUTE, config_set_rootdn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.rootdn,`
		`- CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER},`
		`+ CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER, NULL},`
		`{CONFIG_PW_MINAGE_ATTRIBUTE, config_set_pw_minage,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pw_policy.pw_minage,`
		`- CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MINAGE_STR},`
		`+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MINAGE_STR, NULL},`
		`{CONFIG_AUDITFILE_ATTRIBUTE, config_set_auditlog,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.auditlog,`
		`- CONFIG_STRING_OR_EMPTY, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_RETURN_EXACT_CASE_ATTRIBUTE, config_set_return_exact_case,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.return_exact_case,`
		`- CONFIG_ON_OFF, NULL, &init_return_exact_case},`
		`+ CONFIG_ON_OFF, NULL, &init_return_exact_case, NULL},`
		`{CONFIG_RESULT_TWEAK_ATTRIBUTE, config_set_result_tweak,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.result_tweak,`
		`- CONFIG_ON_OFF, NULL, &init_result_tweak},`
		`+ CONFIG_ON_OFF, NULL, &init_result_tweak, NULL},`
		`{CONFIG_PLUGIN_BINDDN_TRACKING_ATTRIBUTE, config_set_plugin_tracking,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.plugin_track,`
		`- CONFIG_ON_OFF, NULL, &init_plugin_track},`
		`+ CONFIG_ON_OFF, NULL, &init_plugin_track, NULL},`
		`{CONFIG_MODDN_ACI_ATTRIBUTE, config_set_moddn_aci,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.moddn_aci,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_moddn_aci,`
		`- &init_moddn_aci},`
		`+ &init_moddn_aci, NULL},`
		`{CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE, config_set_attrname_exceptions,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.attrname_exceptions,`
		`- CONFIG_ON_OFF, NULL, &init_attrname_exceptions},`
		`+ CONFIG_ON_OFF, NULL, &init_attrname_exceptions, NULL},`
		`{CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.maxbersize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAXBERSIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAXBERSIZE_STR, NULL},`
		`{CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.maxsasliosize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_SASLIO_SIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_SASLIO_SIZE_STR, NULL},`
		`{CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.versionstring,`
		`- CONFIG_STRING, NULL, SLAPD_VERSION_STR},`
		`+ CONFIG_STRING, NULL, SLAPD_VERSION_STR, NULL},`
		`{CONFIG_REFERRAL_MODE_ATTRIBUTE, config_set_referral_mode,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.refer_url,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_MAXDESCRIPTORS_ATTRIBUTE, config_set_maxdescriptors,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.maxdescriptors,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MAXDESCRIPTORS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAXDESCRIPTORS_STR, NULL},`
		`{CONFIG_CONNTABLESIZE_ATTRIBUTE, config_set_conntablesize,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.conntablesize,`
		`- CONFIG_INT, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_INT, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_SSLCLIENTAUTH_ATTRIBUTE, config_set_SSLclientAuth,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.SSLclientAuth,`
		`- CONFIG_SPECIAL_SSLCLIENTAUTH, NULL, SLAPD_DEFAULT_SSLCLIENTAUTH_STR},`
		`+ CONFIG_SPECIAL_SSLCLIENTAUTH, NULL, SLAPD_DEFAULT_SSLCLIENTAUTH_STR, NULL},`
		`{CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE, config_set_ssl_check_hostname,`
		`NULL, 0, NULL,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_ssl_check_hostname,`
		`- &init_ssl_check_hostname},`
		`+ &init_ssl_check_hostname, NULL},`
		`{CONFIG_CONFIG_ATTRIBUTE, 0,`
		`NULL, 0, (void **)SLAPD_CONFIG_DN,`
		`- CONFIG_CONSTANT_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_CONSTANT_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_HASH_FILTERS_ATTRIBUTE, config_set_hash_filters,`
		`NULL, 0, NULL,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_hash_filters,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* instance dir; used by admin tasks */`
		`{CONFIG_INSTDIR_ATTRIBUTE, config_set_instancedir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.instancedir,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing schema dir */`
		`{CONFIG_SCHEMADIR_ATTRIBUTE, config_set_schemadir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.schemadir,`
		`- CONFIG_STRING, NULL, NULL /* deletion is not allowed */},`
		`+ CONFIG_STRING, NULL, NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing lock dir */`
		`{CONFIG_LOCKDIR_ATTRIBUTE, config_set_lockdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.lockdir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_lockdir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing tmp dir */`
		`{CONFIG_TMPDIR_ATTRIBUTE, config_set_tmpdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.tmpdir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_tmpdir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing cert dir */`
		`{CONFIG_CERTDIR_ATTRIBUTE, config_set_certdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.certdir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_certdir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing ldif dir */`
		`{CONFIG_LDIFDIR_ATTRIBUTE, config_set_ldifdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ldifdir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_ldifdir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing bak dir */`
		`{CONFIG_BAKDIR_ATTRIBUTE, config_set_bakdir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.bakdir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_bakdir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing sasl plugin path */`
		`{CONFIG_SASLPATH_ATTRIBUTE, config_set_saslpath,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.saslpath,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_saslpath,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`/* parameterizing run dir */`
		`{CONFIG_RUNDIR_ATTRIBUTE, config_set_rundir,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.rundir,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_rundir,`
		`- NULL /* deletion is not allowed */},`
		`+ NULL, NULL /* deletion is not allowed */},`
		`{CONFIG_REWRITE_RFC1274_ATTRIBUTE, config_set_rewrite_rfc1274,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.rewrite_rfc1274,`
		`- CONFIG_ON_OFF, NULL, &init_rewrite_rfc1274},`
		`+ CONFIG_ON_OFF, NULL, &init_rewrite_rfc1274, NULL},`
		`{CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE,`
		`config_set_outbound_ldap_io_timeout,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT_STR, NULL},`
		`{CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.allow_unauth_binds,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_unauth_binds_switch,`
		`- &init_allow_unauth_binds},`
		`+ &init_allow_unauth_binds, NULL},`
		`{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.require_secure_binds,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_require_secure_binds,`
		`- &init_require_secure_binds},`
		`+ &init_require_secure_binds, NULL},`
		`{CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.allow_anon_access,`
		`CONFIG_SPECIAL_ANON_ACCESS_SWITCH,`
		`(ConfigGetFunc)config_get_anon_access_switch,`
		`- SLAPD_DEFAULT_ALLOW_ANON_ACCESS_STR},`
		`+ SLAPD_DEFAULT_ALLOW_ANON_ACCESS_STR, NULL},`
		`{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.localssf,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOCAL_SSF_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOCAL_SSF_STR, NULL},`
		`{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.minssf,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_MIN_SSF_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_MIN_SSF_STR, NULL},`
		`{CONFIG_MINSSF_EXCLUDE_ROOTDSE, config_set_minssf_exclude_rootdse,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.minssf_exclude_rootdse,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_minssf_exclude_rootdse,`
		`- &init_minssf_exclude_rootdse},`
		`+ &init_minssf_exclude_rootdse, NULL},`
		`{CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.force_sasl_external,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_force_sasl_external,`
		`- &init_force_sasl_external},`
		`+ &init_force_sasl_external, NULL},`
		`{CONFIG_ENTRYUSN_GLOBAL, config_set_entryusn_global,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.entryusn_global,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_entryusn_global,`
		`- &init_entryusn_global},`
		`+ &init_entryusn_global, NULL},`
		`{CONFIG_ENTRYUSN_IMPORT_INITVAL, config_set_entryusn_import_init,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.entryusn_import_init,`
		`CONFIG_STRING, (ConfigGetFunc)config_get_entryusn_import_init,`
		`- SLAPD_ENTRYUSN_IMPORT_INIT},`
		`+ SLAPD_ENTRYUSN_IMPORT_INIT, NULL},`
		`{CONFIG_VALIDATE_CERT_ATTRIBUTE, config_set_validate_cert_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.validate_cert,`
		`CONFIG_SPECIAL_VALIDATE_CERT_SWITCH,`
		`- (ConfigGetFunc)config_get_validate_cert_switch, SLAPD_DEFAULT_VALIDATE_CERT_STR},`
		`+ (ConfigGetFunc)config_get_validate_cert_switch, SLAPD_DEFAULT_VALIDATE_CERT_STR, NULL},`
		`{CONFIG_PAGEDSIZELIMIT_ATTRIBUTE, config_set_pagedsizelimit,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.pagedsizelimit,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_PAGEDSIZELIMIT_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_PAGEDSIZELIMIT_STR, NULL},`
		`{CONFIG_DEFAULT_NAMING_CONTEXT, config_set_default_naming_context,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.default_naming_context,`
		`- CONFIG_STRING, (ConfigGetFunc)config_get_default_naming_context, NULL},`
		`+ CONFIG_STRING, (ConfigGetFunc)config_get_default_naming_context, NULL, NULL},`
		`{CONFIG_DISK_MONITORING, config_set_disk_monitoring,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.disk_monitoring,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_disk_monitoring,`
		`- &init_disk_monitoring},`
		`+ &init_disk_monitoring, NULL},`
		`{CONFIG_DISK_THRESHOLD, config_set_disk_threshold,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.disk_threshold,`
		`CONFIG_LONG_LONG, (ConfigGetFunc)config_get_disk_threshold,`
		`- SLAPD_DEFAULT_DISK_THRESHOLD_STR},`
		`+ SLAPD_DEFAULT_DISK_THRESHOLD_STR, NULL},`
		`{CONFIG_DISK_GRACE_PERIOD, config_set_disk_grace_period,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.disk_grace_period,`
		`CONFIG_INT, (ConfigGetFunc)config_get_disk_grace_period,`
		`- SLAPD_DEFAULT_DISK_GRACE_PERIOD_STR},`
		`+ SLAPD_DEFAULT_DISK_GRACE_PERIOD_STR, NULL},`
		`{CONFIG_DISK_LOGGING_CRITICAL, config_set_disk_logging_critical,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.disk_logging_critical,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_disk_logging_critical,`
		`- &init_disk_logging_critical},`
		`+ &init_disk_logging_critical, NULL},`
		`{CONFIG_NDN_CACHE, config_set_ndn_cache_enabled,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ndn_cache_enabled,`
		`CONFIG_ON_OFF, (ConfigGetFunc)config_get_ndn_cache_enabled,`
		`- &init_ndn_cache_enabled},`
		`+ &init_ndn_cache_enabled, NULL},`
		`{CONFIG_NDN_CACHE_SIZE, config_set_ndn_cache_max_size,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ndn_cache_max_size,`
		`- CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, SLAPD_DEFAULT_NDN_SIZE_STR},`
		`+ CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, SLAPD_DEFAULT_NDN_SIZE_STR, NULL},`
		`/* The issue here is that we probably need "empty string" to be valid, rather than NULL for reset purposes */`
		`{CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.allowed_sasl_mechs,`
		`- CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, ""},`
		`+ CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, "", NULL},`
		`{CONFIG_IGNORE_VATTRS, config_set_ignore_vattrs,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ignore_vattrs,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_vattrs, &init_ignore_vattrs},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_vattrs, &init_ignore_vattrs, NULL},`
		`{CONFIG_UNHASHED_PW_SWITCH_ATTRIBUTE, config_set_unhashed_pw_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.unhashed_pw_switch,`
		`CONFIG_SPECIAL_UNHASHED_PW_SWITCH,`
		`(ConfigGetFunc)config_get_unhashed_pw_switch,`
		`- SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR},`
		`+ SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR, NULL},`
		`{CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.sasl_max_bufsize,`
		`CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize,`
		`- SLAPD_DEFAULT_SASL_MAXBUFSIZE_STR},`
		`+ SLAPD_DEFAULT_SASL_MAXBUFSIZE_STR, NULL},`
		`{CONFIG_SEARCH_RETURN_ORIGINAL_TYPE, config_set_return_orig_type_switch,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.return_orig_type,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_return_orig_type_switch, &init_return_orig_type},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_return_orig_type_switch, &init_return_orig_type, NULL},`
		`{CONFIG_ENABLE_TURBO_MODE, config_set_enable_turbo_mode,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.enable_turbo_mode,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_turbo_mode, &init_enable_turbo_mode},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_turbo_mode, &init_enable_turbo_mode, NULL},`
		`{CONFIG_CONNECTION_BUFFER, config_set_connection_buffer,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.connection_buffer,`
		`- CONFIG_INT, (ConfigGetFunc)config_get_connection_buffer, &init_connection_buffer},`
		`+ CONFIG_INT, (ConfigGetFunc)config_get_connection_buffer, &init_connection_buffer, NULL},`
		`{CONFIG_CONNECTION_NOCANON, config_set_connection_nocanon,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.connection_nocanon,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_connection_nocanon, &init_connection_nocanon},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_connection_nocanon, &init_connection_nocanon, NULL},`
		`{CONFIG_PLUGIN_LOGGING, config_set_plugin_logging,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.plugin_logging,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_plugin_logging, &init_plugin_logging},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_plugin_logging, &init_plugin_logging, NULL},`
		`{CONFIG_LISTEN_BACKLOG_SIZE, config_set_listen_backlog_size,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.listen_backlog_size, CONFIG_INT,`
		`- (ConfigGetFunc)config_get_listen_backlog_size, DAEMON_LISTEN_SIZE_STR},`
		`+ (ConfigGetFunc)config_get_listen_backlog_size, DAEMON_LISTEN_SIZE_STR, NULL},`
		`{CONFIG_DYNAMIC_PLUGINS, config_set_dynamic_plugins,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.dynamic_plugins, CONFIG_ON_OFF,`
		`- (ConfigGetFunc)config_get_dynamic_plugins, &init_dynamic_plugins},`
		`+ (ConfigGetFunc)config_get_dynamic_plugins, &init_dynamic_plugins, NULL},`
		`{CONFIG_CN_USES_DN_SYNTAX_IN_DNS, config_set_cn_uses_dn_syntax_in_dns,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.cn_uses_dn_syntax_in_dns, CONFIG_ON_OFF,`
		`- (ConfigGetFunc)config_get_cn_uses_dn_syntax_in_dns, &init_cn_uses_dn_syntax_in_dns},`
		`+ (ConfigGetFunc)config_get_cn_uses_dn_syntax_in_dns, &init_cn_uses_dn_syntax_in_dns, NULL},`
		`#if defined(LINUX)`
		`{CONFIG_MALLOC_MXFAST, config_set_malloc_mxfast,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.malloc_mxfast,`
		`CONFIG_INT, (ConfigGetFunc)config_get_malloc_mxfast,`
		`- &init_malloc_mxfast},`
		`+ &init_malloc_mxfast, NULL},`
		`{CONFIG_MALLOC_TRIM_THRESHOLD, config_set_malloc_trim_threshold,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.malloc_trim_threshold,`
		`CONFIG_INT, (ConfigGetFunc)config_get_malloc_trim_threshold,`
		`- &init_malloc_trim_threshold},`
		`+ &init_malloc_trim_threshold, NULL},`
		`{CONFIG_MALLOC_MMAP_THRESHOLD, config_set_malloc_mmap_threshold,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.malloc_mmap_threshold,`
		`CONFIG_INT, (ConfigGetFunc)config_get_malloc_mmap_threshold,`
		`- &init_malloc_mmap_threshold},`
		`+ &init_malloc_mmap_threshold, NULL},`
		`#endif`
		`{CONFIG_IGNORE_TIME_SKEW, config_set_ignore_time_skew,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.ignore_time_skew,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_time_skew, &init_ignore_time_skew},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_time_skew, &init_ignore_time_skew, NULL},`
		`{CONFIG_GLOBAL_BACKEND_LOCK, config_set_global_backend_lock,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.global_backend_lock,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_global_backend_lock, &init_global_backend_local},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_global_backend_lock, &init_global_backend_local, NULL},`
		`{CONFIG_MAXSIMPLEPAGED_PER_CONN_ATTRIBUTE, config_set_maxsimplepaged_per_conn,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.maxsimplepaged_per_conn,`
		`- CONFIG_INT, (ConfigGetFunc)config_get_maxsimplepaged_per_conn, SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR},`
		`+ CONFIG_INT, (ConfigGetFunc)config_get_maxsimplepaged_per_conn, SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR, NULL},`
		`{CONFIG_ENABLE_NUNC_STANS, config_set_enable_nunc_stans,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.enable_nunc_stans,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_nunc_stans, &init_enable_nunc_stans},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_nunc_stans, &init_enable_nunc_stans, NULL},`
		`/* Audit fail log configuration */`
		`{CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL,`
		`log_set_mode, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_mode,`
		`- CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},`
		`+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,`
		`log_set_rotationsync_enabled, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_rotationsync_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_auditfaillog_rotationsync_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_auditfaillog_rotationsync_enabled, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,`
		`log_set_rotationsynchour, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_rotationsynchour,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,`
		`log_set_rotationsyncmin, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_rotationsyncmin,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,`
		`log_set_rotationtime, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_rotationtime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_maxdiskspace, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_maxdiskspace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_MAXLOGSIZE_ATTRIBUTE, NULL,`
		`log_set_logsize, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_maxlogsize,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,`
		`log_set_expirationtime, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_exptime,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,`
		`log_set_numlogsperdir, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_maxnumlogs,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_LIST_ATTRIBUTE, NULL,`
		`NULL, 0, NULL,`
		`- CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditfaillog_list, NULL},`
		`+ CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditfaillog_list, NULL, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,`
		`log_set_logging, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_logging_enabled,`
		`- CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_enabled},`
		`+ CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_enabled, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGGING_HIDE_UNHASHED_PW, config_set_auditfaillog_unhashed_pw,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_logging_hide_unhashed_pw,`
		`- CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_hide_unhashed_pw},`
		`+ CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_hide_unhashed_pw, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_expirationtimeunit, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_exptimeunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT, NULL},`
		`{CONFIG_AUDITFAILLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,`
		`log_set_mindiskspace, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_minfreespace,`
		`- CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR, NULL},`
		`{CONFIG_AUDITFAILLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,`
		`log_set_rotationtimeunit, SLAPD_AUDITFAIL_LOG,`
		`(void **)&global_slapdFrontendConfig.auditfaillog_rotationunit,`
		`- CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITFAILLOG_ROTATIONUNIT},`
		`+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITFAILLOG_ROTATIONUNIT, NULL},`
		`{CONFIG_AUDITFAILFILE_ATTRIBUTE, config_set_auditfaillog,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.auditfaillog,`
		`- CONFIG_STRING_OR_EMPTY, NULL, "" /* prevents deletion when null */},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, "", NULL /* prevents deletion when null */},`
		`/* End audit fail log configuration */`
		`/* warning: initialization makes pointer from integer without a cast [enabled by default]. Why do we get this? */`
		`#ifdef HAVE_CLOCK_GETTIME`
		`{CONFIG_LOGGING_HR_TIMESTAMPS, config_set_logging_hr_timestamps,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.logging_hr_timestamps,`
		`- CONFIG_ON_OFF, NULL, &init_logging_hr_timestamps},`
		`+ CONFIG_ON_OFF, NULL, &init_logging_hr_timestamps, NULL},`
		`#endif`
		`{CONFIG_EXTRACT_PEM, config_set_extract_pem,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.extract_pem,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_extract_pem, &init_extract_pem},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_extract_pem, &init_extract_pem, NULL},`
		`{CONFIG_LOGGING_BACKEND, NULL,`
		`log_set_backend, 0,`
		`(void **)&global_slapdFrontendConfig.logging_backend,`
		`- CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL},`
		`+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL, NULL},`
		`{CONFIG_TLS_CHECK_CRL_ATTRIBUTE, config_set_tls_check_crl,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.tls_check_crl,`
		`CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl,`
		`- "none" /* Allow reset to this value */},`
		`+ "none", NULL /* Allow reset to this value */},`
		`{CONFIG_ENABLE_UPGRADE_HASH, config_set_enable_upgrade_hash,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.enable_upgrade_hash,`
		`- CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_upgrade_hash, &init_enable_upgrade_hash},`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_upgrade_hash, &init_enable_upgrade_hash, NULL},`
		`{CONFIG_VERIFY_FILTER_SCHEMA, config_set_verify_filter_schema,`
		`NULL, 0,`
		`(void **)&global_slapdFrontendConfig.verify_filter_schema,`
		`CONFIG_SPECIAL_FILTER_VERIFY, (ConfigGetFunc)config_get_verify_filter_schema,`
		`&init_verify_filter_schema},`
		`+ {CONFIG_ENABLE_LDAPSSOTOKEN, config_set_enable_ldapssotoken,`
		`+ NULL, 0,`
		`+ (void **)&global_slapdFrontendConfig.enable_ldapssotoken,`
		`+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_enable_ldapssotoken, &init_enable_ldapssotoken, NULL},`
		`+ #ifdef RUST_ENABLE`
		`+ {CONFIG_LDAPSSOTOKEN_SECRET, config_set_ldapssotoken_secret,`
		`+ NULL, 0,`
		`+ NULL,`
		`+ CONFIG_STRING_GENERATED, (ConfigGetFunc)config_get_ldapssotoken_secret, NULL,`
		`+ (ConfigGenInitFunc)fernet_generate_new_key`
		`+ },`
		`+ {CONFIG_LDAPSSOTOKEN_TTL, config_set_ldapssotoken_ttl,`
		`+ NULL, 0,`
		`+ (void **)&global_slapdFrontendConfig.ldapssotoken_ttl,`
		`+ CONFIG_INT, NULL, SLAPD_DEFAULT_LDAPSSOTOKEN_TTL_STR, NULL},`
		`+ #endif`
		`/* End config */`
		`};`

		`@@ -1784,6 +1804,17 @@`
		`*/`
		`init_enable_upgrade_hash = cfg->enable_upgrade_hash = LDAP_ON;`
		`init_verify_filter_schema = cfg->verify_filter_schema = SLAPI_WARN_SAFE;`
		`+ /*`
		`+ * Default to enabled ldapssotoken, but if no secret is given we generate one`
		`+ * randomly each startup.`
		`+ */`
		`+ #ifdef RUST_ENABLE`
		`+ init_enable_ldapssotoken = cfg->enable_ldapssotoken = LDAP_ON;`
		`+ cfg->ldapssotoken_secret = fernet_generate_new_key();`
		`+ cfg->ldapssotoken_ttl = SLAPD_DEFAULT_LDAPSSOTOKEN_TTL;`
		`+ #else`
		`+ init_enable_ldapssotoken = cfg->enable_ldapssotoken = LDAP_OFF;`
		`+ #endif`

		`/* Done, unlock! */`
		`CFG_UNLOCK_WRITE(cfg);`
		`@@ -7760,6 +7791,118 @@`
		`return FILTER_POLICY_OFF;`
		`}`

		`+ int32_t`
		`+ config_get_enable_ldapssotoken()`
		`+ {`
		`+ int32_t retVal;`
		`+ #ifdef RUST_ENABLE`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+ CFG_LOCK_READ(slapdFrontendConfig);`
		`+ retVal = slapdFrontendConfig->enable_ldapssotoken;`
		`+ CFG_UNLOCK_READ(slapdFrontendConfig);`
		`+ #else`
		`+ /* Always disabled if rust is not compiled in */`
		`+ retVal = 0;`
		`+ #endif`
		`+ return retVal;`
		`+ }`
		`+`
		`+ int32_t`
		`+ config_set_enable_ldapssotoken(const char attrname, char value, char *errorbuf, int apply)`
		`+ {`
		`+ int32_t retVal = LDAP_SUCCESS;`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+`
		`+ retVal = config_set_onoff(attrname, value,`
		`+ &(slapdFrontendConfig->enable_ldapssotoken),`
		`+ errorbuf, apply);`
		`+ return retVal;`
		`+ }`
		`+`
		`+ char *`
		`+ config_get_ldapssotoken_secret()`
		`+ {`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+ char *retVal;`
		`+`
		`+ CFG_LOCK_READ(slapdFrontendConfig);`
		`+ retVal = config_copy_strval(slapdFrontendConfig->ldapssotoken_secret);`
		`+ CFG_UNLOCK_READ(slapdFrontendConfig);`
		`+`
		`+ return retVal;`
		`+ }`
		`+`
		`+ int32_t`
		`+ config_set_ldapssotoken_secret(const char attrname, char value, char *errorbuf, int apply)`
		`+ {`
		`+ #ifdef RUST_ENABLE`
		`+ if (config_get_enable_ldapssotoken() == 0) {`
		`+ return LDAP_OPERATIONS_ERROR;`
		`+ }`
		`+`
		`+ int32_t retVal = LDAP_SUCCESS;`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+`
		`+ if (config_value_is_null(attrname, value, errorbuf, 0)) {`
		`+ return LDAP_OPERATIONS_ERROR;`
		`+ }`
		`+`
		`+ if (fernet_validate_key(value) == 0) {`
		`+ return LDAP_UNWILLING_TO_PERFORM;`
		`+ }`
		`+`
		`+ if (!apply) {`
		`+ return retVal;`
		`+ }`
		`+`
		`+ CFG_LOCK_WRITE(slapdFrontendConfig);`
		`+ slapi_ch_free((void **)&slapdFrontendConfig->ldapssotoken_secret);`
		`+`
		`+ slapdFrontendConfig->ldapssotoken_secret = slapi_ch_strdup(value);`
		`+`
		`+ CFG_UNLOCK_WRITE(slapdFrontendConfig);`
		`+ return retVal;`
		`+ #else`
		`+ return LDAP_OPERATIONS_ERROR;`
		`+ #endif`
		`+ }`
		`+`
		`+ int32_t`
		`+ config_set_ldapssotoken_ttl(const char attrname, char value, char *errorbuf, int apply)`
		`+ {`
		`+ int32_t retVal = LDAP_SUCCESS;`
		`+ int32_t ldapssotoken_ttl = 0;`
		`+ char *endp = NULL;`
		`+`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+`
		`+ if (config_value_is_null(attrname, value, errorbuf, 0)) {`
		`+ return LDAP_OPERATIONS_ERROR;`
		`+ }`
		`+`
		`+ errno = 0;`
		`+ ldapssotoken_ttl = (int32_t)strtol(value, &endp, 10);`
		`+`
		`+ if (*endp != '\0' \|\| errno == ERANGE \|\| ldapssotoken_ttl < 1 \|\| ldapssotoken_ttl > 86400) {`
		`+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,`
		`+ "%s: invalid value \"%s\", maximum ldapssotoken ttl must range from 1 to 86400 (1 day)",`
		`+ attrname, value);`
		`+ retVal = LDAP_OPERATIONS_ERROR;`
		`+ }`
		`+`
		`+ if (apply) {`
		`+ slapi_atomic_store_32(&(slapdFrontendConfig->ldapssotoken_ttl), ldapssotoken_ttl, __ATOMIC_RELEASE);`
		`+ }`
		`+ return retVal;`
		`+ }`
		`+`
		`+ int32_t`
		`+ config_get_ldapssotoken_ttl()`
		`+ {`
		`+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();`
		`+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapssotoken_ttl), __ATOMIC_ACQUIRE);`
		`+ }`
		`+`
		`/*`
		`* This function is intended to be used from the dse code modify callback. It`
		`* is "optimized" for that case because it takes a berval** of values, which is`
		`@@ -7802,7 +7945,7 @@`
		`break;`

		`default:`
		`- if (values == NULL && cgas->initvalue != NULL) {`
		`+ if (values == NULL && (cgas->initvalue != NULL \|\| cgas->geninitfunc != NULL)) {`
		`/* We are deleting all our values and reset to defaults */`
		`char initvalbuf[64];`
		`void *initval = cgas->initvalue;`
		`@@ -7810,7 +7953,11 @@`
		`initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf));`
		`} else if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) {`
		`initval = (void *)config_initvalue_to_special_filter_verify(cgas, initvalbuf, sizeof(initvalbuf));`
		`+ } else {`
		`+ initval = cgas->geninitfunc();`
		`}`
		`+ PR_ASSERT(initval);`
		`+`
		`if (cgas->setfunc) {`
		`retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply);`
		`} else if (cgas->logsetfunc) {`
		`@@ -7885,6 +8032,11 @@`
		`(value && ((char )value)) ? ((char **)value) : "");`
		`break;`

		`+ case CONFIG_STRING_GENERATED:`
		`+ PR_ASSERT(value);`
		`+ slapi_entry_attr_set_charptr(e, cgas->attr_name, ((char *)value));`
		`+ break;`
		`+`
		`case CONFIG_CHARRAY:`
		`if (value) {`
		`values = strarray2bervalarray((const char *)((char ***)value));`

ldap/servers/slapd/proto-slap.h

file modified

		`@@ -595,6 +595,15 @@`
		`int32_t config_get_enable_upgrade_hash(void);`
		`int32_t config_set_enable_upgrade_hash(const char attrname, char value, char *errorbuf, int apply);`

		`+`
		`+ int32_t config_get_enable_ldapssotoken();`
		`+ int32_t config_set_enable_ldapssotoken(const char attrname, char value, char *errorbuf, int apply);`
		`+ char * config_get_ldapssotoken_secret();`
		`+ int32_t config_set_ldapssotoken_secret(const char attrname, char value, char *errorbuf, int apply);`
		`+ int32_t config_set_ldapssotoken_ttl(const char attrname, char value, char *errorbuf, int apply);`
		`+ int32_t config_get_ldapssotoken_ttl();`
		`+`
		`+`
		`int is_abspath(const char *);`
		`char rel2abspath(char );`
		`char rel2abspath_ext(char , char *);`

ldap/servers/slapd/pw_verify.c

file modified

+29

		`@@ -87,6 +87,35 @@`
		`}`

		`/*`
		`+ * Given a bind request, if the pw verification failed, and we are able to do a token bind`
		`+ * attempt and see if the token is valid and successful.`
		`+ */`
		`+ int32_t`
		`+ pw_verify_token_dn(Slapi_PBlock *pb) {`
		`+ int rc = SLAPI_BIND_FAIL;`
		`+ #ifdef RUST_ENABLE`
		`+ struct berval *cred = NULL;`
		`+ Slapi_DN *sdn = NULL;`
		`+`
		`+ /* Is the token auth config enabled? */`
		`+ if (!config_get_enable_ldapssotoken()) {`
		`+ return rc;`
		`+ }`
		`+`
		`+ slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);`
		`+ slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);`
		`+ char *dn = slapi_sdn_get_dn(sdn);`
		`+ char *key = config_get_ldapssotoken_secret();`
		`+ uint64_t tok_ttl = (uint64_t)config_get_ldapssotoken_ttl();`
		`+`
		`+ if (fernet_verify_token(dn, cred->bv_val, key, tok_ttl) != 0) {`
		`+ rc = SLAPI_BIND_SUCCESS;`
		`+ }`
		`+ #endif`
		`+ return rc;`
		`+ }`
		`+`
		`+ /*`
		`* Resolve the dn we have been requested to bind with and verify it's`
		`* valid, and has a backend.`
		`*`

ldap/servers/slapd/pw_verify.h

file modified

		`@@ -12,5 +12,6 @@`
		`int pw_verify_root_dn(const char dn, const Slapi_Value cred);`
		`int pw_verify_be_dn(Slapi_PBlock pb, Slapi_Entry *referral);`
		`int pw_validate_be_dn(Slapi_PBlock pb, Slapi_Entry *referral);`
		`+ int32_t pw_verify_token_dn(Slapi_PBlock *pb);`

		`#endif /* _SLAPD_PW_VERIFY_H_ */`

ldap/servers/slapd/slap.h

file modified

+17 -2

		`@@ -274,6 +274,8 @@`
		`#define SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR "-1"`
		`/* We'd like this number to be prime for the hash into the Connection table */`
		`#define SLAPD_DEFAULT_CONNTABLESIZE 4093 /* connection table size */`
		`+ #define SLAPD_DEFAULT_LDAPSSOTOKEN_TTL 3600`
		`+ #define SLAPD_DEFAULT_LDAPSSOTOKEN_TTL_STR "3600"`

		`#define SLAPD_DEFAULT_NDN_SIZE 20971520`
		`#define SLAPD_DEFAULT_NDN_SIZE_STR "20971520"`
		`@@ -735,6 +737,9 @@`
		`#define EXTOP_BULK_IMPORT_START_OID "2.16.840.1.113730.3.5.7"`
		`#define EXTOP_BULK_IMPORT_DONE_OID "2.16.840.1.113730.3.5.8"`
		`#define EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1"`
		`+ #define EXTOP_LDAPSSOTOKEN_REQUEST_OID "2.16.840.1.113730.3.5.14"`
		`+ #define EXTOP_LDAPSSOTOKEN_RESPONSE_OID "2.16.840.1.113730.3.5.15"`
		`+ #define EXTOP_LDAPSSOTOKEN_REVOKE_OID "2.16.840.1.113730.3.5.16"`

		`/*`
		`* Represents a Distinguished Name of an entry`
		`@@ -1689,6 +1694,7 @@`
		`int32_t c_minssf_exclude_rootdse;`
		`int32_t c_anon_access;`
		`int32_t c_max_threads_per_conn;`
		`+ int32_t c_bind_auth_token;`
		`} Connection;`
		`#define CONN_FLAG_SSL 1 /* Is this connection an SSL connection or not ? \`
		`* Used to direct I/O code when SSL is handled differently \`
		`@@ -2261,10 +2267,13 @@`
		`#define CONFIG_MALLOC_TRIM_THRESHOLD "nsslapd-malloc-trim-threshold"`
		`#define CONFIG_MALLOC_MMAP_THRESHOLD "nsslapd-malloc-mmap-threshold"`

		`- #define CONFIG_VERIFY_FILTER_SCHEMA "nsslapd-verify-filter-schema"`
		`-`
		`#define DEFAULT_MALLOC_UNSET (-10)`

		`+ #define CONFIG_VERIFY_FILTER_SCHEMA "nsslapd-verify-filter-schema"`
		`+ #define CONFIG_ENABLE_LDAPSSOTOKEN "nsslapd-enable-ldapssotoken"`
		`+ #define CONFIG_LDAPSSOTOKEN_SECRET "nsslapd-ldapssotoken-secret"`
		`+ #define CONFIG_LDAPSSOTOKEN_TTL "nsslapd-ldapssotoken-ttl-secs"`
		`+`
		`/*`
		`* Define the backlog number for use in listen() call.`
		`* We use the same definition as in ldapserver/include/base/systems.h`
		`@@ -2553,6 +2562,12 @@`
		`* off - don't warn, just allow anything. This is the legacy behaviour.`
		`*/`
		`slapi_special_filter_verify_t verify_filter_schema;`
		`+ /*`
		`+ * Do we enable generation of ldapssotokens (cookies) for re-binding?`
		`+ */`
		`+ slapi_onoff_t enable_ldapssotoken;`
		`+ char *ldapssotoken_secret;`
		`+ slapi_int_t ldapssotoken_ttl;`
		`} slapdFrontendConfig_t;`

		`/* possible values for slapdFrontendConfig_t.schemareplace */`

rpm.mk

file modified

+3 -6

		`@@ -39,14 +39,11 @@`
		`rm -rf rpmbuild`

		`update-cargo-dependencies:`
		`- cargo update --manifest-path=./src/libsds/Cargo.toml`
		`- cargo update --manifest-path=./src/librslapd/Cargo.toml`
		`+ cargo update --manifest-path=./src/Cargo.toml`

		`download-cargo-dependencies:`
		`- cargo vendor --manifest-path=./src/libsds/Cargo.toml`
		`- cargo fetch --manifest-path=./src/libsds/Cargo.toml`
		`- cargo vendor --manifest-path=./src/librslapd/Cargo.toml`
		`- cargo fetch --manifest-path=./src/librslapd/Cargo.toml`
		`+ cargo vendor --manifest-path=./src/Cargo.toml`
		`+ cargo fetch --manifest-path=./src/Cargo.toml`

		`install-node-modules:`
		`cd src/cockpit/389-console; make -f node_modules.mk install`

src/Cargo.toml

file added

		`@@ -0,0 +1,8 @@`
		`+`
		`+ [workspace]`
		`+ members = [`
		`+ "librslapd",`
		`+ "librnsslapd",`
		`+ "libsds",`
		`+ "slapd",`
		`+ ]`

src/lib389/lib389/extended_operations.py

file modified

+8 -25

		`@@ -21,47 +21,30 @@`
		`# Tag id's should match https://www.obj-sys.com/asn1tutorial/node124.html`

		`class LdapSSOTokenRequestValue(univ.Sequence):`
		`- componentType = namedtype.NamedTypes(`
		`- namedtype.NamedType('ValidLifeTime', univ.Integer().subtype(`
		`- implicitTag=tag.Tag(tag.tagClassUniversal,tag.tagFormatSimple,0)`
		`- )`
		`- ),`
		`- )`
		`+ pass`

		`class LdapSSOTokenResponseValue(univ.Sequence):`
		`componentType = namedtype.NamedTypes(`
		`- namedtype.NamedType('ValidLifeTime', univ.Integer().subtype(`
		`- implicitTag=tag.Tag(tag.tagClassUniversal,tag.tagFormatSimple,2)`
		`- )`
		`- ),`
		`- namedtype.NamedType('EncryptedToken', univ.OctetString().subtype(`
		`- implicitTag=tag.Tag(tag.tagClassUniversal,tag.tagFormatSimple,4)`
		`- )`
		`- ),`
		`+ namedtype.NamedType('ValidLifeTime', univ.Integer()),`
		`+ namedtype.NamedType('EncryptedToken', univ.OctetString()),`
		`)`

		`class LdapSSOTokenRequest(ExtendedRequest):`
		`- requestName = '2.16.840.1.113730.3.5.14'`
		`def __init__(self, requestValidLifeTime=0):`
		`- self.requestValidLifeTime = requestValidLifeTime`
		`+ self.requestName = '2.16.840.1.113730.3.5.14'`

		`def encodedRequestValue(self):`
		`v = LdapSSOTokenRequestValue()`
		`- v.setComponentByName('ValidLifeTime', univ.Integer(self.requestValidLifeTime).subtype(`
		`- implicitTag=tag.Tag(tag.tagClassUniversal,tag.tagFormatSimple,0)`
		`- )`
		`- )`
		`return encoder.encode(v)`

		`class LdapSSOTokenResponse(ExtendedResponse):`
		`- responseName = '2.16.840.1.113730.3.5.15'`
		`+ def __init__(self, encodedResponseValue):`
		`+ self.responseName = '2.16.840.1.113730.3.5.15'`
		`+ self.responseValue = self.decodeResponseValue(encodedResponseValue)`

		`def decodeResponseValue(self, value):`
		`response_value, _ = decoder.decode(value,asn1Spec=LdapSSOTokenResponseValue())`
		`self.validLifeTime = int(response_value.getComponentByName('ValidLifeTime'))`
		`- self.token = response_value.getComponentByName('EncryptedToken')`
		`+ self.token = str(response_value.getComponentByName('EncryptedToken'))`
		`return (self.validLifeTime, self.token)`

		`- class LdapSSOTokenRevokeRequest(ExtendedRequest):`
		`- requestName = '2.16.840.1.113730.3.5.16'`
		`-`

src/lib389/lib389/idm/account.py

file modified

+29

		`@@ -20,6 +20,7 @@`
		`from lib389.cos import CosTemplates`
		`from lib389.mappingTree import MappingTrees`
		`from lib389.idm.role import Roles`
		`+ from lib389.extended_operations import LdapSSOTokenRequest, LdapSSOTokenResponse`


		`class AccountState(Enum):`
		`@@ -292,6 +293,34 @@`
		`self._instance.passwd_s(self._dn, current_password, new_password,`
		`serverctrls=self._server_controls, clientctrls=self._client_controls, escapehatch='i am sure')`

		`+ def request_sso_token(self):`
		`+ """From an authenticated connection, request a single sign on token (cookie) for`
		`+ future use.`
		`+`
		`+ Note this function will fail if the connection was itself authenticated with a`
		`+ token - this is to prevent token renewal from being infinite which may be a`
		`+ security risk.`
		`+`
		`+ :returns: String of the token for use with authenticate_sso_token`
		`+ """`
		`+ # Build the request`
		`+ req = LdapSSOTokenRequest()`
		`+ # Get the response`
		`+ (_, res) = self._instance.extop_s(req, serverctrls=self._server_controls,`
		`+ clientctrls=self._client_controls, escapehatch='i am sure')`
		`+ (lt, token) = LdapSSOTokenResponse(res).responseValue`
		`+ return token`
		`+`
		`+ def authenticate_sso_token(self, token, args, *kwargs):`
		`+ """`
		`+ Given an entry (with dn), bind using this authentication token.`
		`+`
		`+ :param token: An entry token`
		`+ :type token: str`
		`+ :returns: Connection with a binding as the entry`
		`+ """`
		`+ return self.bind(token, args, *kwargs)`
		`+`

		`class Accounts(DSLdapObjects):`
		`"""DSLdapObjects that represents Account entry`

src/lib389/lib389/paths.py

file modified

+10

		`@@ -205,3 +205,13 @@`
		`if self._config.get(SECTION, 'enable_perl') == 'yes':`
		`return True`
		`return False`
		`+`
		`+ @property`
		`+ def rust_enabled(self):`
		`+ if self._defaults_cached is False:`
		`+ self._read_defaults()`
		`+ self._validate_defaults()`
		`+ if self._config.has_option(SECTION, 'enable_rust'):`
		`+ if self._config.get(SECTION, 'enable_rust') == 'no':`
		`+ return False`
		`+ return True`

src/librnsslapd/Cargo.toml

file added

+25

		`@@ -0,0 +1,25 @@`
		`+ [package]`
		`+ name = "librnsslapd"`
		`+ version = "0.1.0"`
		`+ authors = ["William Brown <william@blackhats.net.au>"]`
		`+ edition = "2018"`
		`+ build = "build.rs"`
		`+`
		`+ # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html`
		`+`
		`+ [lib]`
		`+ path = "src/lib.rs"`
		`+ name = "rnsslapd"`
		`+ crate-type = ["staticlib", "lib"]`
		`+`
		`+ [profile.release]`
		`+ panic = "abort"`
		`+ lto = true`
		`+`
		`+ [dependencies]`
		`+ slapd = { path = "../slapd" }`
		`+ libc = "0.2"`
		`+`
		`+ [build-dependencies]`
		`+ cbindgen = "0.9"`
		`+`

src/librnsslapd/README.md

file added

		`@@ -0,0 +1,4 @@`
		`+ This is the librnsslapd wrapper - it's a rust -> c bindgen stub. It does`
		`+ not provide any logic, but exists to resolve linking issues that`
		`+ exist between autotools and rust. For all the Rust logic, see ../slapd.`
		`+`

src/librnsslapd/build.rs

file added

+15

		`@@ -0,0 +1,15 @@`
		`+ extern crate cbindgen;`
		`+`
		`+ use std::env;`
		`+`
		`+ fn main() {`
		`+ let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap();`
		`+ let out_dir = env::var("SLAPD_HEADER_DIR").unwrap();`
		`+`
		`+ cbindgen::Builder::new()`
		`+ .with_language(cbindgen::Language::C)`
		`+ .with_crate(crate_dir)`
		`+ .generate()`
		`+ .expect("Unable to generate bindings")`
		`+ .write_to_file(format!("{}/rust-nsslapd-private.h", out_dir));`
		`+ }`

src/librnsslapd/src/lib.rs

file added

+70

		`@@ -0,0 +1,70 @@`
		`+ // It's important that symbol names here are unique and do no conflict with symbol`
		`+ // names in ../../librslapd/src/lib.rs`
		`+ //`
		`+ // Remember this is just a c-bindgen stub, all logic should come from slapd!`
		`+`
		`+ extern crate libc;`
		`+ use slapd;`
		`+ use libc::c_char;`
		`+ use std::ffi::{CString, CStr};`
		`+`
		`+ #[no_mangle]`
		`+ pub extern "C" fn do_nothing_again_rust() -> usize {`
		`+ 0`
		`+ }`
		`+`
		`+ #[no_mangle]`
		`+ pub extern "C" fn fernet_generate_token(dn: const c_char, raw_key: const c_char) -> *mut c_char {`
		`+ if dn.is_null() \|\| raw_key.is_null() {`
		`+ return std::ptr::null_mut();`
		`+ }`
		`+ // Given a DN, generate a fernet token, or return NULL on error.`
		`+ let c_str_key = unsafe { CStr::from_ptr(raw_key) };`
		`+ let c_str_dn = unsafe { CStr::from_ptr(dn) };`
		`+ match slapd::fernet::new(c_str_key) {`
		`+ Ok(inst) => {`
		`+ // We have an instance, let's make the token.`
		`+ match slapd::fernet::encrypt(&inst, c_str_dn) {`
		`+ Ok(tok) => {`
		`+ // We have to move string memory ownership by copying so the system`
		`+ // allocator has it.`
		`+ let raw = tok.into_raw();`
		`+ let dup_tok = unsafe {`
		`+ libc::strdup(raw)`
		`+ };`
		`+ unsafe {`
		`+ CString::from_raw(raw);`
		`+ };`
		`+ dup_tok`
		`+ }`
		`+ Err(_) => std::ptr::null_mut(),`
		`+ }`
		`+ }`
		`+ Err(_) => std::ptr::null_mut(),`
		`+ }`
		`+ }`
		`+`
		`+ #[no_mangle]`
		`+ pub extern "C" fn fernet_verify_token(dn: const c_char, token: const c_char, raw_key: *const c_char, ttl: u64) -> bool {`
		`+ if dn.is_null() \|\| raw_key.is_null() \|\| token.is_null() {`
		`+ return false;`
		`+ }`
		`+`
		`+ let c_str_key = unsafe { CStr::from_ptr(raw_key) };`
		`+ let c_str_dn = unsafe { CStr::from_ptr(dn) };`
		`+ let c_str_token = unsafe { CStr::from_ptr(token) };`
		`+`
		`+ match slapd::fernet::new(c_str_key) {`
		`+ Ok(inst) => {`
		`+ match slapd::fernet::decrypt(&inst, c_str_token, ttl) {`
		`+ Ok(val) => {`
		`+ // Finally check if the extracted dn is what we expect`
		`+ val.as_c_str() == c_str_dn`
		`+ }`
		`+ Err(_) => false,`
		`+ }`
		`+ }`
		`+ Err(_) => false,`
		`+ }`
		`+ }`
		`+`

src/librslapd/Cargo.toml

file modified

+2 -1

		`@@ -16,8 +16,9 @@`
		`panic = "abort"`
		`lto = true`

		`-`
		`[dependencies]`
		`+ slapd = { path = "../slapd" }`
		`+ libc = "0.2"`

		`[build-dependencies]`
		`cbindgen = "0.9"`

src/librslapd/README.md

file added

		`@@ -0,0 +1,3 @@`
		`+ This is the librslapd wrapper - it's a rust -> c bindgen stub. It does`
		`+ not provide any logic, but exists to resolve linking issues that`
		`+ exist between autotools and rust. For all the Rust logic, see ../slapd.`

src/librslapd/src/lib.rs

file modified

+49 -5

		`@@ -1,12 +1,56 @@`
		`+ // It's important that symbol names here are unique and do no conflict with symbol`
		`+ // names in ../../librnsslapd/src/lib.rs`
		`+ //`
		`+ // Remember this is just a c-bindgen stub, all logic should come from slapd!`
		`+`
		`+ extern crate libc;`
		`+`
		`+ use slapd;`
		`+`
		`+ use libc::c_char;`
		`+ use std::ffi::{CString, CStr};`
		`+`
		`#[no_mangle]`
		`pub extern "C" fn do_nothing_rust() -> usize {`
		`0`
		`}`

		`- #[cfg(test)]`
		`- mod tests {`
		`- #[test]`
		`- fn it_works() {`
		`- assert_eq!(2 + 2, 4);`
		`+ #[no_mangle]`
		`+ pub extern "C" fn rust_free_string(s: *mut c_char) {`
		`+ if !s.is_null() {`
		`+ let _ = unsafe {`
		`+ CString::from_raw(s)`
		`+ };`
		`+ }`
		`+ }`
		`+`
		`+ #[no_mangle]`
		`+ pub extern "C" fn fernet_generate_new_key() -> *mut c_char {`
		`+ // It's important to note, we can't return the cstring here, we have to strdup`
		`+ // it so that the caller can free it.`
		`+ let res_key = slapd::fernet::generate_new_key();`
		`+ // While we have a rich error type, we can't do much with it over the ffi, so`
		`+ // discard it here (for now). When we impl logging in rust it will be easier to`
		`+ // then consume this error type.`
		`+ match res_key {`
		`+ Ok(key) => {`
		`+ let raw = key.into_raw();`
		`+ let dup_key = unsafe {`
		`+ libc::strdup(raw)`
		`+ };`
		`+ rust_free_string(raw);`
		`+ dup_key`
		`+ }`
		`+ Err(_) => std::ptr::null_mut(),`
		`}`
		`}`
		`+`
		`+ #[no_mangle]`
		`+ pub extern "C" fn fernet_validate_key(raw_key: *const c_char) -> bool {`
		`+ let c_str_key = unsafe { CStr::from_ptr(raw_key) };`
		`+ match slapd::fernet::new(c_str_key) {`
		`+ Ok(_) => true,`
		`+ Err(_) => false,`
		`+ }`
		`+ }`
		`+`

src/slapd/Cargo.toml

file added

+10

		`@@ -0,0 +1,10 @@`
		`+ [package]`
		`+ name = "slapd"`
		`+ version = "0.1.0"`
		`+ authors = ["William Brown <william@blackhats.net.au>"]`
		`+ edition = "2018"`
		`+`
		`+ # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html`
		`+`
		`+ [dependencies]`
		`+ fernet = "0.1"`

src/slapd/src/error.rs

file added

		`@@ -0,0 +1,8 @@`
		`+`
		`+ pub enum SlapdError {`
		`+ // This occurs when a string contains an inner null byte`
		`+ // that cstring can't handle.`
		`+ CStringInvalidError,`
		`+ FernetInvalidKey,`
		`+ }`
		`+`

src/slapd/src/fernet.rs

file added

+39

		`@@ -0,0 +1,39 @@`
		`+ // Routines for managing fernet encryption`
		`+`
		`+ use std::ffi::{CString, CStr};`
		`+ use fernet::Fernet;`
		`+ use crate::error::SlapdError;`
		`+`
		`+ pub fn generate_new_key() -> Result<CString, SlapdError> {`
		`+ let k = Fernet::generate_key();`
		`+ CString::new(k)`
		`+ .map_err(\|_\| {`
		`+ SlapdError::CStringInvalidError`
		`+ })`
		`+ }`
		`+`
		`+ pub fn new(c_str_key: &CStr) -> Result<Fernet, SlapdError> {`
		`+ let str_key = c_str_key.to_str()`
		`+ .map_err(\|_\| SlapdError::CStringInvalidError)?;`
		`+ Fernet::new(str_key)`
		`+ .ok_or(SlapdError::FernetInvalidKey)`
		`+ }`
		`+`
		`+ pub fn encrypt(fernet: &Fernet, dn: &CStr) -> Result<CString, SlapdError> {`
		`+ let tok = fernet.encrypt(dn.to_bytes());`
		`+ CString::new(tok)`
		`+ .map_err(\|_\| {`
		`+ SlapdError::CStringInvalidError`
		`+ })`
		`+ }`
		`+`
		`+ pub fn decrypt(fernet: &Fernet, tok: &CStr, ttl: u64) -> Result<CString, SlapdError> {`
		`+ let s = tok.to_str()`
		`+ .map_err(\|_\| SlapdError::CStringInvalidError)?;`
		`+ let r: Vec<u8> = fernet.decrypt_with_ttl(s, ttl)`
		`+ .map_err(\|_\| SlapdError::FernetInvalidKey)?;`
		`+ CString::new(r)`
		`+ .map_err(\|_\| SlapdError::CStringInvalidError)`
		`+ }`
		`+`
		`+`

src/slapd/src/lib.rs

file added

		`@@ -0,0 +1,5 @@`
		`+`
		`+ pub mod error;`
		`+ pub mod fernet;`
		`+`
		`+`

firstyear commented 4 years ago

Bug Description: This implements LDAP ssotokens, a simple
but cryptographically strong method of providing "cookies" to clients
on request so that they can re-bind to a session at a later time. This
is required for the web portal so that the portal may remain "isolated"
without a strict security audit as the 389-ds server provides all
security features.

Fix Description: This adds the features for cookies with time limits up
to one day to be generated from a rust library. These can be "revoked"
globally by regeneration of the fernet key. Multiple DS servers can
accept the tokens if they all have the same key configured. The TTL
is adjustable based on site preferences. Additionally, sites that do
not compile rust features will not have the feature enabled.

https://pagure.io/389-ds-base/issue/48707

Author: William Brown william@blackhats.net.au

Review by: ???

Additionaly notes: this passes ASAN and LSAN, it works with rust enabled, and when disabled the feature is also disabled. Defaults inf was extended to allow the tests to verify they are not present.

firstyear commented on line 20 of ldap/servers/slapd/bind.c 4 years ago

Don't say it @mreynolds, I just spotted this incorrect comment syntax.

firstyear commented on line 1405 of ldap/servers/slapd/libglobs.c 4 years ago

Pre-empting "why did you touch so much in libglobs.c". It's because of this call here, where we add the capability for a initval generator function to each slot type for the config.

rebased onto 1e33353d6553d8d56d1f59434f40cebc9ac480b7

4 years ago

mreynolds commented on line 89 of ldap/servers/slapd/extendop.c 4 years ago

Please don't use java style comments

firstyear commented 4 years ago

AHhhhhh I swear I did a search for them all in the C code (Rust uses // for comments and /// for docs so we'll have to deal with it there).

1 new commit added

Fix misformatted comment

4 years ago

firstyear commented 4 years ago

@mreynolds and @mhonek ping :)

firstyear commented 4 years ago

Review reminder @mreynolds

mreynolds commented 4 years ago

Looks good, but I want to run a few tests with the patch. Question are there platforms that won't have rust (do we really need the #ifdefs)?

firstyear commented 4 years ago

The ifdef is more about "readiness" and when both SUSE/RedHat say "yes we can ship this to production", so it gives us a fast on/off switch. Perfect world, we shouldn't need it, but "just in case". This way we can do a release, if it goes wrong we can ifdef it off rather than reverting the patch.

Is that a reasonable comment?

mreynolds commented 4 years ago

@firstyear, Matus has some comments on your design doc about adding a token refresh option:

https://github.com/marcus2376/389wiki/pull/17

Just bringing it to your attention

mreynolds commented on line 9 of ldap/servers/slapd/bind.c 4 years ago

doe should "does"

mreynolds commented 4 years ago

Compiler error:

../389-ds-base/ldap/servers/slapd/bind.c: In function ‘do_bind’:
../389-ds-base/ldap/servers/slapd/bind.c:754:26: warning: implicit declaration of function ‘pw_verify_token_dn’; did you mean ‘pw_verify_be_dn’? [-Wimplicit-function-declaration]
754 | rc = pw_verify_token_dn(pb);
| ^~
| pw_verify_be_dn

Probably need to add it to header somewhere

Edited 4 years ago by mreynolds

firstyear commented 4 years ago

Thanks for the comments @mreynolds I'll have a look at this today. I'm surprised about the missing definition for the header though :(

Maybe I should change my compiler opts to -Werror?

rebased onto 05aad782b01e904f8d7ec76c8e58f35d0a3366e8

4 years ago

firstyear commented 4 years ago

Right, updated based on your feedback. Sometimes I wonder if you missed a career in spell checking :) :)

Also noted an issue with linking so that's resolved now.

firstyear commented 4 years ago

Any other comments @mreynolds or @mhonek?

mreynolds commented 4 years ago

Your patch no longer cleanly applies to Master branch, but it looks like you still have the same problem I reported in https://pagure.io/389-ds-base/pull-request/50703#comment-104376

in bind.c you need to include pw_verify.h

mreynolds commented 4 years ago

Your patch no longer cleanly applies to Master branch, but it looks like you still have the same problem I reported in https://pagure.io/389-ds-base/pull-request/50703#comment-104376
in bind.c you need to include pw_verify.h

Blah, every time I click "Submit Comment" I think "Wait! Double check ______". Yes bind.c had this include already. I would really like a patch that applies cleanly to give my full ACK, so get this patch rebased and I'll give it a quick once over and we can finally merge it!

firstyear commented 4 years ago

@mreynolds Doing it right now :)

rebased onto 5c23cf430fd540faebfd67b485f0bf660612e3b0

4 years ago

mreynolds commented 4 years ago